Essential WordPress Security Tips

As WordPress is becoming more popular so is the threat of being hacked or being contaminated by malware. Since the desktops and laptops are increasingly becoming difficult to hack, hackers now concentrate on hacking websites and use them to spread their malicious code/trojans/virus. WordPress which now hosts more than 60 million sites which is more than half of the sites in the World Wide Web is now their primary target.
Protecting your WordPress blog/site is not cheap even the Automatic’s VaultPress costs $15 per month for the basic plan. Here are some tweaks which you can easily use to protect your blog/sites.

1. Prevent Directory browsing

Most hosts, by default allow directory listing. This can actually allow hackers to find for the vulnerable file and can make unexpected access to your site. To check whether your site is affected, type your WordPress URL into the browser address bar, followed by “/wp-content/plugins/” like https://vibethemes.wpengine.com/wp-content/plugins

If you get a blank page or error 404 you are safe else, just add the following to the .htaccess file:

Options -Indexes

It’s not enough to update just the blog’s robots.txt file with Disallow: /wp*.

This would definitely prevent the wp-directory from being indexed, but will not prevent users from seeing it.

2. Change the default “Admin” name

Brute force is used by Hackers involves systematically checking all possible passwords until the correct key is found.”Admin” the default username makes it easier for them to guess the right combination.

WordPress 3.0 allows you to choose your desired username by default. This tip might be useful for older WordPress versions.

If you are still using “admin” as your username run this sql query to change it.

UPDATE wp_users SET user_login = ‘Your New Username’ WHERE user_login = ‘Admin’;

This query will update “Admin” username in your wp-users table to the new user name you have given.

3.Remove your wordpress version

WordPress automatically displays the version you are using in the head of your blog files. This is harmless if your blog is always up to date with the latest version .But if for some reason your blog isn’t up to date, WordPress still displays it, and hackers will learn this vital piece of information.

Paste the following line of code in the functions.php file of your theme. Save it, refresh your blog.

remove_action(‘wp_head’, ‘wp_generator’);

This will delete the WordPress version number in the header.

4. Give File Permissions

Though there is no need to alter the permissions after you have installed the wordpress but in case you already have altered, do keep in mind the following things
All folder permissions should be set to 755, Files : 644.
Files that you want to edit in the WordPress Theme editor should be 666. Never use 777 for WordPress permissions – This would allow all users on the server do whatever they want with your site, at max go with 757.

5. Limit wordpress admin access by IP address

Any visitor with web access can visit your WordPress login page and take a guess at your admin password. If they get it right, they’ll have full control of your site.

What you can do is Restrict the WordPress admin folder to allow access only from your computer, or a small group of computers. To limit access by IP, create an .htaccess file in your /wp-admin/ folder (not in WordPress root) containing the following code:

order deny,allow
deny from all
# allow  IP address
allow from XX.XX.XXX.XXX
# allow  IP address
allow from XX.XX.XXX.XXX

Just google “what’s my IP” and you can find your IP address. Once you’ve done this, visitors without the allowed IP address will see a 404 message if they try to access your admin area or login.

Checkout this place for more tips and plugins on

WordPress security.