Radu Cotescu's professional blog

g33k w17h pa45510n

Securing WordPress From the Ground Up

My move to HostGator was partly due to the fact that on my old host this blog got hacked. And judging by the impact, I suspect this was a server-side security breach because my DB was intact. Since then I’ve spent some time to secure my WP instance as much as I could given the available tools on a shared hosting account.

While this guide provides you a lot of information, it’s not diving into more detailed explanations. To sum it all up and to add some geeky stuff too, I recommend considering the following advice.

Choose a secure host

Assure that your hosting provider is secure: its servers are protected by unauthorized access, they do provide back-ups and they offer you a decent line of support services.

Choosing passwords

Use strong passwords: this is the most common overlooked aspect when it comes to security. Avoid your birth date, phone number, girlfriend’s / boyfriend’s name (unless it’s a very weird and uncommon name :D), etc. Avoid using every combination that could be guessed by people you know (it’s not paranoid, it has to protect your online space and therefore nobody but you should have access).

Use up-to-date software

Keep your WordPress engine and its plug-ins always up-to-date. This is pretty basic and helps you avoid security bugs that might exist in older versions.

Secure your file transfers

Avoid FTP as much as you can: it’s not secure. Sure: it’s fast, it’s convenient and you might have a built-in client on your OS. But this doesn’t make it secure at all. Ask your host to provide you SSH access (this will be chrooted into your home folder) to be able to use SFTP.

File permissions

Once you have set up your WordPress blog take care of file permissions (yes, it’s basic stuff, but again people overlook it). All your folders must have 755 permissions and all your files should have 644. Take special consideration for the wp-config.php file which is recommended to have 750 (on my server it has 600) and all the .htaccess files which should be writeable by the user under which your web server runs if you want WordPress and other plug-ins to able to modify them for you (permalinks, caching plugins, etc.).

Secure wp-admin

Protect your wp-admin folder using at least an .htaccess file for authentication (Basic HTTP Authentication). Another option is to use the AskApache Password Protection plugin, but it doesn’t work on all hosts and several people have reported problems using it. To secure this folder with .htaccess you can use your hosting’s web administration panel (e.g. cPanel, Plesk, etc.) or you can directly upload the file having the following contents:

ErrorDocument 401 default
AuthType Basic
AuthName "Use your imagination here"
AuthUserFile "/path/that/is/upper/than/public_html/passwd"
require valid-user

If you used the web administration panel to do this, edit the generated .htaccess file in your wp-admin folder to include the first line from above, otherwise you will be locked-out of your Dashboard. If you haven’t used the web administration panel you must upload the passwd file which contains the user and the password you want for accessing any content from wp-admin. You can generate this file using this online script. The logic of keeping the passwords file outside of the directory used to serve content is to protect it from the outside world.

Useful security plug-ins

Personally I use four plug-ins which help me keep this blog clean of unwanted access:

  • Login LockDown - this plug-in protects your blog from brute-force attacks on your login form. It can be set to block IPs from which several unsuccessful logins are performed. You can set the number of failed logins after which the IP should be blocked, the maximum number of minutes to allow unsuccessful login tries from the same IP and the number of minutes that the IPs should be blocked if breaching the first two rules.

  • Secure WordPress - this plug-in hides certain information that your blog reveals and that might be used by hackers. Take care regarding the option labelled index.php because on some servers it might cause some problems where the server automatically requests itself for that file.

  • WordPress Exploit Scanner - useful to search for potential security breaches in your WordPress’ files, plug-ins and themes.

  • WordPress File Monitor - one of my favourites. This one checks if any changes have happened to your files while you were gone. It might cause some false alarms when you update¬† plug-ins of other files but if a hacker managed to alter your scripts you will find out soon enough (through email or notices on your Dashboard) and you can track which files he’s been playing with, making your recovery fast and clean.

Another plug-in which can be used to track requests made to your server (although its main purpose is to show you statistics about your visitors) is StatPress. Using the database entries it creates, you can efficiently look through the records using the basic form it provides under its Search option or, if you know SQL, you can build custom queries to run against your DB to find out more.


If you think you have discovered some traces of an attack on your blog (fishy or bot-net requests) and you can clearly identify some specific data about the requests made (user-agent, IP, requests for certain files which shouldn’t be accessed directly), you can add these rules to the .htaccess file at the root of your blog:

# Hunting spammers
    RewriteEngine   on
#   RewriteCond     %{HTTP_REFERER}    ^$
#   RewriteCond     %{HTTP_USER_AGENT} ^$
#   RewriteCond     %{REQUEST_URI}     ^/denied/path/(.*)
    RewriteRule     ^(.*)$     http://%{REMOTE_ADDR}/      [L,E=nolog:1]

Uncomment which rules you want to be used and edit them so that they catch what you need (a certain referrer, user-agent or a certain request). The result is that the “spammer” is given his own dog food in return without filling your server log with crap. It’s good to put this section at the beginning of your file so that if a spammer tries to do something bad, it will be redirected to his own IP without the server trying to parse the rest of the rules. Take care not to block access to your blog.


No matter how hard you try to keep your WordPress clean, there always is a slight chance that somebody some way will hack it. Although what I’ve tried to resume and present here are definitely show stoppers for your average hacker / script kiddie, it’s not as safe as not powering on any machine (from clients to servers). You will always be exposed to risk. The secret is to prevent any known chance of access without your consent.

Stay clean! :)

.com, How To

« Hosted by HostGator Automated cPanel backup »