3 Must Apply Security Tips for WordPress

By Daniel Scocco - 1 minute read

Today I was reading through my RSS feeds and I came across a very interesting post from Matt Cutts. Basically he was describing 3 (plus a bonus) tips to secure your WordPress install. I was already using two of them, but the first one was new to me, and looks like it is the most effective one as well.

1. Secure the /wp-admin/ directory

You probably know that most of your WordPress sensitive information is stored in the /wp-admin/ folder. Right out of the box, WordPress leaves that folder open, so people can access these files if they know what they are doing.

Matt suggests to place a .htaccess file inside the /wp-admin/ folder to block the access to all IP addresses, except yours. Here is the code you need to put in the .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx

2. Hide your plugins

Many WordPress plugins come with bugs and vulnerabilities that can be exploited to damage your website. The last thing you want, therefore, is other people being able to know what plugins you are using.

If you visit the folder /wp-content/plugins/ on most blogs, however, you will be able to see all the plugins that are being used. In order to hide that list you just need to create an empty index.html file and drop it there.

3. Keep up with patches and updates

Most bloggers probably carry out this tip already. Just keep your WordPress updated and you should be fine. Matt suggests subscribing to the WordPress Development Blog.

The final bonus tip was just to delete the meta tag that reveals your WordPress version on the header of your site.

Do you know any other security tips that WordPress users should apply?

Update: Browsing on the Internet I also came across a WordPress plugin called Login LockDown. Basically it will track down login attempts to your site, and if there are too many of them coming from the same IP address on a short period of time the plugin will disable the login function for that IP range. Useful to avoid people trying to brute force your password.

Recommended Articles for You

79 Responses to “3 Must Apply Security Tips for WordPress”

  • Keith Davis

    Three things you need to consider when using WordPress… security, security, security.
    Three great tips that could perhaps be explained in a little more detail.

  • matt

    Thank you, I had been googling all the security problems that wordpress had to figure out how to fix it. I love wordpress, but the fact that anyone can hack into my site or edit something scares me, especially if I spend 100’s of hours building up my site.

  • Altis Lo (Beaulife)

    Thanks for the tips and comments. I just thought about the dynamic IP for my broadband… So tips no. 2 and 3 are the easiest to apply.

  • HLBryant

    I tried the htaccess and stumbled into an odd error! I couldn’t use the Plugin automated service that is in the admin of a WP Blog. It told me I had no permission!

    When I deleted it, I was able to install my plugins. 🙂 Just something to look out for? 🙂

  • Bikram


    My IP changes every time i restart my broadband modem. what should i do to prevent hacking on my wordpress install? need help on this issue.


  • Bikram


    My IP changes every time i restart my broadband modem. what should i do to prevent hacking on my wordpress install? need help on this.

  • Mr. I

    Unfortunately, I have dynamic IP’s and can’t set tip no. 1. But I will apply no. 2 as No. 3 is already applied! 🙂

  • Eqwitty.com

    great tips. thanks!

  • Jan Alvin

    Wow, I’ve got to prevent hacking my blog as soon as possible.

  • Dinesh

    Thanks for you information…

    But this is more secure than the above code

    # -FrontPage-

    Options None

    order deny,allow
    deny from all
    allow from all
    require group authors administrators

    order deny,allow
    deny from all

    AuthType Basic
    AuthName yourwebsite.com
    AuthUserFile service.pwd //Example /home/usename/public_html/_vti_pvt/service.pwd
    AuthGroupFile service.grp //Example /home/username/public_html/_vti_pvt/service.grp

    From http://series60v3.co.cc/

  • rajeev mehta

    great tips.mine was getting hacked i think and this post really helped a lot ..

  • WebDiggin

    Thanks for the security heads-up. We haven’t really thought about it til we saw this post.

    FYI – Matt’s post has an update where Joshua Slive pointed out that the .htaccess file shouldn’t have a around the IP addresses. That would have allowed IP addresses to POST, for example.

    We have a dynamic IP where the last digit of our IP address changes. There are about four or five different XX.XX.XXX.* address that we get with our ISP.

    We found that if we just drop the last number, we’re still able to access our wp-admin folder, but if we use an anonymous proxy and try to access it from an IP address in Germany, it won’t get in.

    Can anyone else verify that this works for dynamic addresses?

    allow from xx.xx.xx
    allow from xx.xx.xxx


  • Mikael

    What happens if you have other authors writing posts. Will point number 1 affect their ability ot login and post topics? I mean if their IP isn’t added to the file.

  • Bloggero

    If I put .htaccess in /wp-content/plugins/ the plugins will work ?

  • Ness

    Some good tips. Have just removed Meta tag showing wordpress version. Overlooked earlier.

  • Deborah

    Jaan and Hendry,

    Thanks for the reminder on the Options -indexes. That works the easiest for managing, without having to add index.php or index.html files in folders.

  • Hendry Lee

    Regarding number 2, I’d recommend to disable directory index on all directories by placing the a line in .htaccess in the root directory:

    Options -Indexes

    This way, the option is off for the whole domain.

    While restricting access to wp-admin is useful it is not for people who don’t have static IP.

  • Mark

    Why a blank index.html? Can you use a blank index.php for this purpose to or is that a bigger security threat?

  • Daniel

    Brent, yes.

  • brent berrett

    Can the files can be accessed directly even with a blank index.html file?

  • LoLo

    “Do you know any other security tips that WordPress users should apply?”

    1. Change the default DB prefix (wp_).
    2. Hide your entire install.
    3. Matt’s bonus tip was a bit off. You can still get his version info. Just edit your wp-includes/version.php to hide it correctly.

    Info on how to hide your install and all the rest of this can be found here.

Comments are closed.