WordPress Security Best Practices

Security through Obscurity


  • Never install WordPress using an automated script from your cPanel, it leaves an info trail and uses default setting.
  • Use a secure password, example: mYb1Og^2gO should have capitals, numbers and punctuation.
  • Use Secret Keys – (hashing salt)
  • When creating your WordPress database table prefix DO NOT USE wp_
  • If you have SSL certificate, then use: define(‘Force_SSL_LOGIN’,true); //also add ssl to adm pages: (‘Force_SSL_ADMIN’,true)
  • When installing WordPress 3 or 4 you can now set administrator user account to whatever you want.
  • Do not use “admin” as a user, if you have, create a new admin account, log out and login with new admin and delete old admin.
    (Make sure you set all content to new admin user)
  • File Permission should be set to 644 while Folders should be set to 755
  • If files do not work increase to 755 still not then 777. This way you will have the most secure your server will allow.
  • Move your wp-config.php up one folder if your WordPress is in a sub-folder.
  • Move you wp-content directory by using define in your wp-config also define for wp-content/plugins; however,
    depending on how well the plugins are written they may break your site. So test using your backup on your local test bed first.
  • You do have your site backed up and stored off-site right?
  • Weekly complete backups and daily just the database ( to save content) for a large site is a must.
  •  For a less used site I would backup just weekly the database content and monthly complete.
  • remove_action(‘wp_head’, ‘wp_generator’);   // removes version information.
  • Always Update WordPress and plugins, the only issue may be plugins not being updated.
  • If site breaks, just rename the offending plugins folder(if WordPress can not find it, it can not load it).


  • Lockdown .htaccess: you can allow only listed ip access if you have been hacked for doing audit testing.
  • If you have been hacked and do not have a backup… why?
  • COPY all files and folders then DELETE all the ORIGINAL WordPress files and folders INCLUDING plugins & themes.
  • Reinstall files and folders checking files and folders permissions are correct.
  • Keeping the database and after checking original (copied) wp-config.php with new secret keys upload it.
  • You of course will have to change all passwords and security keys. Delete users and do an audit for the security breach.
  • Install plugins: WP-Security Scan, WP-MalWatch or more advanced WordPress Exploit Scanner. After using them, disable them.
  • WordPress File Monitor plugin should be installed and left on all the time.
  • Install a login plugin that prevents brute force attacks.
  • Scan database for malicious code… examples: iframe, strrev, eval, base64.
  • Reinstall plugins using WordPress.org never a “developer’s” site download.
  • The number one security breach on a secure site are users/passwords.
  • Often the cause are users own computers not having updated virus protection and a firewall.


Web Site Security

I hope this will give you an understanding of what is needed to keep your site secure. This is not a detailed “how to”; however, it will help you to review with your web designer the basics. Not all of these steps are practical for all sites and some sites, such as ecommerce sites should look at adding https, a honeypot or other measures.

This list is for a basic understanding of the steps involved. If you have been hacked it is our recommendation that you first contact your hosting company and secondly contact a professional to repair your site.