Today we will ll take a look at some common yet overlooked steps to keep your WordPress installation secure. Keep in mind these steps will not cover every installation fully, but will harden and keep your WordPress installation secure against common vulnerabilities.


1. Add a second layer of password protection to your /wp-admin/ directory.

Adding a server-side password in Apache will create a second layer or protection to your administrator area files, login screen, and entire administrator directory. While simple, this will stop numerous exploits that attempt to post a malicious payload to WordPress files when an exploit is discovered.

2. Disable direct file editing within WordPress

By default, WordPress allows the editing of crucial PHP files directly from WordPress. For best security practices, edits and changes to crucial PHP files should never be made from WordPress. Insert the code below into your wp-config.php file to disable direct file edits from WordPress.

define('DISALLOW_FILE_EDIT', true);

3. Avoid and remove unused plugins and themes

This is one of the most overlooked issues of WordPress, excess plugins and themes. It goes without saying due to to the PHP coding of plugins and their functions, any unused plugins should be removed. In addition, any unused themes should be removed, as in many instances they contain a variety of PHP functions, some of which may be outdated. In June of 2014, an exploit was discovered centering around the “timthumb” plugin, utilized in numerous themes to create thumbnails. This exploit allowed arbitrary remote code execution, which lead to the exploitation of numerous themes and plugins that used the TimThumb library.

4. Install a two-factor login solution

Even without file editing access (as we removed in step #2) the administrator account is still a powerful administration method that in the wrong hands could easily wipe your blog with a few clicks. For this, we suggest a two-factor login solution, such as Duo Security or Authy. Duo Security is easily installed with a few clicks and light configuration.

Upon login Duo Security requires a mobile-phone ‘push’ or SMS to verify it’s actually you logging into the administration area of your blog. This is very useful should your password fall into the wrong hands due to a using an infected machine or a keylogger being present on your own.

5. Create backups, and create them often

You should always have backups of your site, but many users only take a daily ‘snapshot’ as a backup, and not much else. If your installation is exploited 3 days back, you’re out of luck unless you have a backup later than that date. We suggest you keep daily, weekly, and monthly backups, and store them off-site, so if your WordPress installation is exploited, you do not need to rely on possibly rogue backup files to restore from.

6. Use a web application firewall

Web application firewalls work by filtering access to your install in real-time, using patterns to filter and block possibly malicious attacks to your website. The most popular WAF is Mod Security, which works in conjunction with your web server to filter, and can be activated and installed within cPanel. A suggested plugin you can easily install is iThemes Security, which stops attacks and filters URLs in real-time. In addition, you can use a system to protect & filter (reverse-proxy) your website by simply changing your DNS, two popular services being CloudFlare and Sucuri.

7. Keep directory and file permissions permissive but safe

Numerous features, upload, and auto-update capabilities of WordPress require permissive file and directory permissions, but it’s too common to give over-permissive write access to directories that don’t require it. As a rule of thumb, folders need to be set at 755 permissions, with files given 644 access. If you have shell access you can modify and use the following code to set your directory and file permissions.

find /home/site/public_html/blog/ -type d -exec chmod 755 {} \;
find /home/site/public_html/blog/ -type f -exec chmod 644 {} \;

8. Turn off Error Reporting in wp-config.php

When working on your site, PHP’s error reporting can be a brilliant tool to troubleshoot issues. When in production and unnecessary, this information is more helpful to possible hackers when an error occurs by exposing your directory base and possibly other operating system information you do not want publicly known. Open wp-config.php and insert the following: