Secure WordPress

Classified in : Uncategorized - Tags : none

Here is a to do list to secure your WordPress site !

WordPress is already -relatively- secure but being the most used CMS ... it is also the one hackers are going to target in prority! So it is necessary to add extra elements of security.


The first thing to do is archiving backups (on another server than the one used for the web site) to make sure to be able to recover data in case of a serious incident. Most web hosters will backup your web site (files and databases) regularly (generally at least daily), alternatively you may add a backup plugin.

General tasks

You must perform tasks that you would do for any system:

  • update elements: WordPress, plugins and the theme used (don't forget to use a child theme)
  • choose complex passwords: at least 8 caracters and mix up digits and uppercase/lowercase letters.
  • do not use an admin but create another one !

WordPress tasks

  • Delete the version number (that hackers could use to find hacks ... in case security updates were not perfomed), by adding to the fonctions.php file:

remove_action("wp_head", "wp_generator");

  • In the same line of thought, we delete the readme.html file (in the website root) that includes WordPress version number.
     WATCH OUT:  this must be done again after each WordPress update.
  • Deny access to directories and to the files wp-config.php and .htaccess, by adding the following lines to .htaccess :

(It's possible to do more by following WP Marmite instructions - in French)

<Files wp-config.php>
order allow,deny
deny from all
<Files .htaccess>
 order allow,deny
 deny from all
#hide dir
Options All -Indexes

  • Rename connection pages (wp-admin et wp-login) by using the plugin Move Login (which is included in the plugin SecuPress ... see last chapter) or WPS Hide Login.
  • Limit connection attempts by brute force by limiting the connection errors with the plugin Limit Login Attemps Reloaded (SecuPress inclus cette fonction également).
  • Block bad http queries by installing the plugin  Block Bad Queries.
  • Rename MySql tables by following  Informatique DIY instructions (with easy renaming in phpMyAdmin) and also instructions from WP Channel.
  • You may also install one of the following security plugins: Acunetix WP Security, Bulletproof security, iThemes security, Wordfence security or Sucuri security.

Test Security

To test web site security, on may:

  • test site with WordPress Security Scan.
  • install WP Scan, to run test from your computer.
  • install SecuPress plugin that will perform a security analysis and that will also add extra functions to secure the web site: probably the best security tool for WordPress !

Move to HTTPS

From a security stand point, it is not necessary to move your web site to HTTPS. It is mandatory only if you use confidential information (passwords, credit card etc): HTTPS will crypt the data typed in (as well as every thing else) thans to SSL ... so a hacker who will "listen" the network to get your informations will only see encrypted  data.

Read in another the operations to perform to move a site HTTP to HTTPS.


Happy securisation of your web  site ! ! !  wink


[ no comments ]

© Le Computing Froggy  !

Write a comment

What is the fifth letter of the word uv51hbn? :