15 Tips To Secure Your WordPress Blog

With this post I would like to discuss about the word press security that every webmaster should know. Now a day’s lot of hackers getting in to the word press, it is so important to keep your blog hack proof. Let’s check out some points to secure your word press blog with best security tools and applications and basic coding. Make sure your entire things backed-up well including your database before doing anything to your word press blog.


Update to latest version of word press

Make sure your blog running on the latest version of word press, if not do wordpress update. You can update wordpress from your dashboard itself.

Use a powerful password 

You can create a powerful password once you install and activate wp-security scan plugin.

Check for plug-in new releases

If your word press dashboard showing there is some plug-in update available please go for update. It is very important considering security part of your blog.

Change the authentication 

Go to the word press root directory ,open wp-config file and point to following lines

define(‘AUTH_KEY’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);

define(‘NONCE_KEY’, ‘put your unique phrase here’)

Change ‘put your unique phrase here’ with a new one you generated using word press tool at https://api.wordpress.org/secret-key/1.1/

Setting up this secret key is highly recommended to increase the security of your blog . the secret key is used as a seed to create and generate unique random number when calculating hash value for  word press to encrypt password.especially in cookie authentication. it reduces that possibility of cracking the password of your blog .

 WP security scan

There is one security plugin it will come handy while considering your protection. Yes some of you may know “wp-security scan” plugin, this one trusted by most of the bloggers. It is the standard plugin for word press. Once you activated that plugin go to the navigation you will get a security tab. if click on that security you get a page same as below. It Scans your Word Press installation for security vulnerabilities and suggests corrective actions. Like -passwords -file permissions -database security -version hiding -Word Press admin protection/security -removes WP Generator META tag from core code

After initial scan if it shows a message like “your table prefix should not be wp_click here to change it”.

It is very important for you to change this prefix. Due to security point your table prefix should not be wp_; this is the standard when you install all word press blogs. If you keep the standard setting your blog will be at high risk. Hackers will be able to hack your word press blog.

So let’s click on “click here and just rename it on wp-security scan. Make sure you backed up your word press database before you go for any changes. If you changed the prefix just check these changes by going to your Database on my php admin .Make sure your user have rights other wise you can not be able to log into the dashboard. If you not able to login please go to wp-config file open it and change the prefix to default wp- .

If any things gone wrong don’t worry, got to your database and drop all the table prefix over there. Go to your backed up sql file and open it in a text editor change all the wp- to “your word-“save it and import to database, now go to wp-config file on your computer open it and change the prefix wp- to “your word-“save everything and go back to wp-security scan and activate the plugin .now you can see the prefix has been changed successfully.

Change the Admin user 

Most of you may know that default word press use username “admin” for log in to WordPress of the bloggers not change this username this will help hackers, they are half towards your blog hacking. They got your username only password needed for them. If you change the user name it is very difficult for the hackers. Let’s check out how you can change the user name .go to the user page on your dash board create another admin user and give a different name for it after that delete the default “admin” user.

Next you have to change the display name that viewable publicly put any thing different than your loin username.

You can change Admin user by another method also if you are using php admin you can edit it directly, below is the SQL command to do it .

UPDATE 'wp_users' SET 'user_login' = 'NEWUSERNAME'

WHERE 'wp_users'.'ID' =1 LIMIT 1 ;

Hide word press version

This also important if some one knows about the version and they will try building to break in to your blog. If you hidden the version you will be safe from these hijackers. Wp-security scan will automatically hide the word press version of your blog. Normally you can see it on the header and footer of your blog.

Hide your word press Database error

Wp-security scan will do this for you ,in newer wordpress versions it is off by default.

Hide WordPress plugins

This important because of the same reason, why we hidden the word press version. We can do it by creating an .htacess file and putting it in root directory of word press installation. People will be able to see if your plugins folder if not secured. If .htacess not worked you can do it by creating a blank “Intex.html “ file in to this directory.

Create an .htacess file

If you not created an .htacess file in your root installation of word press it will give hackers a final chance to try to break in to your blog. You can create an .htacess file by putting following commands in a text editor and save it as .htacess and put it in wp-admin folder. You can check the status by checking on security scan area of wp-security scan.

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /Index.php  {L}


#prevents directory listing


# END WordPress

( The last two lines  on .htacesss will protect public browsing of all directories .Once you put this commands no one can see your Wp-admin log in page instead it will show a 404 -error page.You can even customize this also.I will put those in another post )

Copy this in to a text editor and save it as .htacess file in the wp-admin folder.

The last  line on .HTACESS  will help you to secure your plug-in directory from hackers.

Use SSL login 

If you have a purchased SSL certificate for you domain you can enable SSL connection to login to your blog. You can do this by adding the code  “define('FORCE_SSL_ADMIN', true); “  in to your wp-config.php check the word press help at http://codex.wordpress.org/Administration_Over_SSL.

Block Bad queries – plugin

Many word press blog has been attacked by hackers using some malicious code .this plugin will come handy when some one sending long request strings greater than 255.this plugin can block all type of injection type attacks.

Put restriction in Long in Attempts

You can put some log in restriction to save your blog from some kind of brute force attack from hackers. You can use login lock down plugin to do this job for you .You can restrict the login retries, login time restriction, lockout length etc to keep your blog secure.

Deny comment spammers

Spammer’s cam post comment on your blog with out accessing or opening  your blog .if hey have access to  wp-post-comments.php folder of your blog they can post comments with out sending any information. You can block this by adding following code in to your .htaccess file .Replace yourblog.com with your address.

RewriteEngine On


RewriteCond %{REQUEST_URI} .wp-comments-post\.php*

RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) ^http://%{REMOTE_ADDR}/$


Add one more authentication 

You can do this by putting an .htaccess authentication for your blog.

Go to http://tools.dynamicdrive.com/password/ put the user name and password and location which is accessible by anybody .after clicking submit you will get a code ,copy the code into your .htaccess file, and upload this in to the directory you wish to protect .

now take the second code that you get from that tool copy it and save it as .htpasswd and upload it to the location (AuthUserFile  provided in .htaccess code) .htpasswd should be put in a non public folder, such as directly above your public HTML folder, to prevent visitors from viewing this file in the browser.

Make sure you backed up your Word Press Database and Wp-content folder before you apply above tips .If any thing goes wrong you can easily recover with backup.

If you like my article, Subscribe to uniquetipsonline.com feed via RSSEmail, Twitter and Tips Online for latest updates.


Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.