Hardening WordPress

Last modified by Wiki Master on 2015/04/02 13:29

Change the WP database table prefix

By default, WP prefixes its database tables “wp_”. Change the table prefix to a random string to make it difficult for a hacker to execute remote <link>SQL injection attacks</link>.

If you haven’t installed WP yet

You can change the table prefix to any random string (preferably more than 3-4 characters). Make sure you add an underscore (_) after the string so your tables are easier to read.

If you have already installed WP

You will need to edit wp-config.php and enter the new database prefix. Export the entire database, and using a text editor, replace the prefix of every table to a random string (preferably more than 3-4 characters). Make sure you add an underscore (_) after the string so your tables are easier to read.

Table names are stored in the CREATE TABLE ‘NAME’ or CREATE TABLE IF NOT EXISTS ‘NAME’ lines. After the changes, drop your WP database on your web host, and import your updated database.

Secure Folder and File Permissions

All directories should, at mod,t have a 644 permissions, while files should have, at most, a 755 permissions. This can be changed thru cPanel’s File Manager, under the Perms column.

An exception to this rule is the wp-config.php file. The permissions to this file should be 600 to prevent other users on the server from reading it.

activate child theme

Secure wp-config.php

For added security, add the following line to wp-config.php. This prevents users from editing your WP and theme files via the administrator dashboard.

define(‘DISALLOW_FILE_EDIT’, true);

Choose new authentication keys and replace the old keys with the new one you generated. Here is the link for generating authentication keys - https://api.wordpress.org/secret-key/1.1/salt/

Prevent Directory Browsing

To test if your WP directories are well protected, enter the following URL in your browser and replace “your domain” to your own website’s domain - http://mydomain.com/wp-includes#.

If it shows a blank page or a 404 Forbidden page, your WP directories are safe. However, if you see something similar to the image below, your directories are not safe from browsing.


To prevent access to directories, place this code inside your .htaccess file.

Options All - Indexes

The .htaccess file is a hidden file so, for cPanel users, you may have to go back to cPanel’s Home Page to check “Show Hidden Files” in the “File Manager Directory Selection” when you click on the “File Manager” icon.


Deny Access to Files via IP

To block access to specific files or directories by IP, you can use either of three methods:

<Files filename.php>
Order Deny,Allow
Deny from All
Allow from [IP]

- OR -

<FilesMatch filetype>
Order Deny,Allow
Deny from All
Allow from [IP]

Here are some examples:




Protect the /wp-content Directory

The wp-content directory holds all your media files, themes, and plugins. In order to protect this directory, you need to create a separate .htaccess file inside /wp-content and insert the following codes:

Order Deny,Allow
Deny From All
<Files  ".(xml|css|jpe?g|png|gif|js)$">
Allow From All

Do Not Use Admin User

Using a user “admin” should be avoided at all times. If it is already being used, create a new administrator with a non-“admin” or non-“administrator” username and delete the existing “admin” or “administrator” user.

Restrict Admin Access to ONLY Required Users

WP provides varying degrees of roles and associated permission. Do not provide administrator credentials to users who will only write posts or edit/post articles. Here is a rundown of WP’s user access control:

  • Administrator - has permission to modify anything in the administration area
  • Editor - Can write, edit, and publish
  • Author - Can write, edit
  • Contributor - Can write
  • Subscriber - Can follow posts

Good Maintenance Practices

  • Keep your WP core files and plugins updated.
  • Minimize the number of plugins you use
  • Deactivate and remove unused plugins
  • Choose passwords that are difficult to guess
  • Do regular data backups

Install a Security Plugin

There are many plugins out there which can offers to protect your WP site. Here are a few references:

References and Further Readings

Created by Wiki Master on 2015/04/02 13:29