Don’t Get Hacked: WordPress Security Tips

In case you didn’t hear ThemeShaper was hacked. You know what? It really sucks. I’ve got two tips and a plugin recommendation that I want to pass on to you so the same stupid thing doesn’t happen to your WordPress install. And these aren’t even my ideas! These are time tested and tried things that just plain work.

After that comes a list of some further plugins and resources that’ll help harden up your WordPress install and keep hackers at bay. So read on.

Do a Fresh Install of WordPress, Plugins, & Themes

Do a fresh install of all WordPress, your plugins, and themes. That means deleting a whole whack of WordPress files just like you were doing an upgrade. And deleting and re-installing ALL your themes and plugins. If you’ve done ANY customization to any one of these files go through them line by line or re-store a local version that never made it to your web server. And while you’re at it start keeping local copies of your edited themes and plugins that have never made it to your web server.

You’re doing this to help make sure your current setup isn’t already compromised.

Hardening WordPress with htaccess

The Blog Security blog has a great article on how to lock out anyone trying to mess with your WordPress files using htaccess. It’s dead simple to do and requires only cut-paste skills and FTP access to your server, and a quick trip to What’s My IP. Anyone can do it. Check it out now and harden your blog.

The Update Notifier Plugin

The single biggest exploitable entry point on any WordPress install is going to be outdated versions of WordPress, themes and plugins. If you don’t know how extreme this can get check out this comment from one of my readers.

I remember when something similar happened to me. Fortunately I managed to find someone willing to help who knew quite a bit more about WordPress than me. The breach was traced to a caching plugin that was out of date by about a week.

The Update Notifier Plugin helps solve this problem by checking the official repository on a regular schedule and sending you an email when it’s time to upgrade.

Further Security Resources and Plugins

21 thoughts on “Don’t Get Hacked: WordPress Security Tips”

  1. I see the second piece of advice offered quite often in the WordPress tip-o-sphere, and I’ve always wondered if it is actually useful to people, because it assumes two (2) things that I would not assume:

    First, that you always access your WP admin from the same place.

    Second, that you have a static IP address at that place.

    For what percentage of WP users are both of these true?

    (In .htaccess you can of course “allow from” partial IP addresses, which will work for a dynamic address, and will still keep out most of the world.)

    In my view, the two things to do if you take the security of your WP site seriously are:

    First, choose a host that are serious and knowledgeable about security.

    Second, be prepared to be incovenienced. Security comes at a cost.


  2. @ian sorry to hear about the attack 😦 i wish the hackers would concentrate their actions on sites and organizations who deserve some headaches it like MPAA and RIAA etc 😉

    @Sergej cool plugin, will definitely be checking it out for my blogs.

  3. Thanks for this Ian.

    @demitris – it’s not too hard to do a combination of IP and user authentication which was necessary for one of my projects (I have fixed IP but client doesn’t). The .htaccess code I use is:-

    Satisfy Any
    order deny,allow
    deny from all

    #don't require user/pw from following IP addresses
    allow from

    AuthType Basic
    AuthUserFile /path/to/htpasswd.file
    AuthName "restricted"
    require user wordpressuser

  4. Just what I was looking for I have been reluctant to do a WordPress install for this very reason.

    I will still contemplate installing until I feel confident I understand the full process of securing my blog til then i will stick with

    Thanks for the info.


  5. Thanks for the article. I’m not good in coding, so I have difficulty to follow the tutorial, after I apply the codes on my blog, my template gets mess. So for now I just following the WP update, back-up my file, and install the WP antivirus 🙂

  6. We should also talk about MYSQL and security. For example, I bet many people set up a WordPress database with a “master” user. I like to create a separate user for each database and only give that user access to their WordPress database. Also, if possible, set up phpmyadmin to only be accessible locally. If you are fortunate to have a setup where you can SSH remote / RDP into your server, then that’s another method to secure your server.

    Great blog! Best wishes and happy holidays!

    1. Kris,

      i read somewhere that it’s best not to permit shell access to your user account. i don’t use terminal, so i won’t miss such permissions. however, i’m not sure it’s a “best practices” per say – to not allow shell user. wondering what you think about this…should we avoid using shell? (is that the same as SSH? and how does it differ from SFTP?)


  7. After reading around here, I can’t believe that my sites are so insecure. I”ve always relied on my host (hostgator) to do back ups. I can see this is not enough. I use wordpress a lot becuase of its user friendliness, but not being techie I can just never even imagine the way people can get at your sites. I always think ‘well why would they want to’. But now I understand its not about that. People just do this stuff without having any reasons at all. I have been naieve. Thanks for the tips.

    1. One WP plugin I highly recommend is WP Security Scan. It will check your website for known security vulnerabilities and recommend corrective actions to help reduce the risks of intruders accessing your website. The plugin says it’s compatible up to WP 2.8.4, but I am using it on several sites with 2.9.2 and it works fine. You can find it here:

      Securely yours,

      Regina Smola

Comments are closed.