Security Harden WordPress

Security Harden WordPressSecurity Harden WordPress

Harden The Security Of Your WordPress

“Security Harden WordPress is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”

Website security is often a top concern for WordPress site owners and prospects. While 26 percent of all websites on the internet are powered by WordPress, because of its popularity the CMS is often targeted by hackers. However, that doesn’t mean your site has to fall victim to malicious behavior.

While no system is 100 percent hack-proof, there are certain measures you can take to prevent a hacked WordPress site. To reduce your chances of being affected by a disastrous brute-force or DDoS attack, read below for the most important WordPress security tasks you should implement to become more proactive against potential threats.

 * WordPress security tips

  1. Keep WordPress core, themes, and plugins up to date

    The most common culprit of a hacked WordPress website is due to an outdated component. Outdated plugins, themes, and core open the portal for a potentially hacked site. When left un-updated, these outdated files are traceable and make your site a target by outside intruders.

    In fact, in one study 69%-persent of reported WordPress security vulnerabilities belonged to outdated WordPress plugins (outdated WordPress core accounted for  30%-percent and outdated WordPress themes accounted for 1%-percent are from hosting service vulnerabilities).

    To ensuring your WordPress site is up-to-date is simple.
    When you see an orange notification in your WordPress dashboard next to plugins, themes, or a notification to upgrade WordPress, update ASAP!

    Security Harden WordPress

    If your site is hosted with WP Engine, and is capable of automatic WordPress core updates then do not activate this option, because this too is a security risk.

    Now that you know “Automatic WordPress Core Updates” is an extreme security risk and also – slows down your wordpress blog/website.

    WordPress Plug-ins Often steal host service resources slowing down your wordpress and can almost freeze an editor while attempting to make a comment or make new page and or post.

    Be very cautious with wordpress themes and plug-ins, because having activated or unactivated themes or plug-ins is an equal open door for hackers exploits, and potential vulnerability.

    Also having an ATOM and or RSS-Feed activated attracts hackers and spammers, (a spammer is a person who posts junk comments, posts and or pages provided wordpress owners give them access to do so), but not unless you are a php programmer modifying the wordpress code in the config.php, index.php, and or functions.php Spammers use Feeds with automated content spamming programs.

    Email send recieve is all about malware, do not do that either.

    * Now with all the above regards themes, plug-ins, ATOM/RSS feeds and emailing; do all the above at your own risk.

    * Noted, some plugins are needed by themes and or as security program and wordpress enhencers, SO – Just be careful and learn as much as possible regards above mentioned; again.

  2. How to configure automatic updates

    If you can configure automatic updates. To auto-upgrade WordPress core, insert this code into your wp-config.php file allowing automatice update is the prime entery point for hackers to exploit your wordpress site/blog, so do not do this:

    define( 'WP_AUTO_UPDATE_CORE', true );

    For plugins, use:

    add_filter( 'auto_update_plugin', '__return_true' );

    For themes, use:

    add_filter( 'auto_update_theme', '__return_true' ) *
  3. Only install trusted WordPress plugins and themes

    Security Harden WordPress

    On the “Popular” and “Featured” sections of the plugin directory are a good place to start when looking for trusted, secure plugins that often resolve as vulnerability stand-alone and or when un-updated.

    To detect if a theme or plugin can be trusted or not, first, read its ratings, but this is only *if* the vulnerability have been clarified or complained about by end-users enough drawing attention by plugin creator to fix the exploit.

    Hackers always visit programmers wordpress plugins site, where-by, the hacker looks for; a.) people complaining, and; b.) hacker most frequent sites where the programmer does not update their plugins within a day or more.

    * Over one day you will have break-ins across the Internet globally. *

    This is why plugins are dangerous and auto-update leaves wordpress-site/blog system wide open during updates, bad idea and an open door for hackers!

    There you can find clues to whether there have been security breaches or issues in the past, like buggy updates to avoid taking chances with.

    You’ll also want to check to see when a plugin/theme was last updated and or if the theme(s) or plugin(s) are update as compatible with your version of wordpress.

    If a plugin or theme hasn’t received an update in some time (say years), then the plugin/theme is exploitable and an open door for hackers to break in and destroy all your hard work in minutes.

    In addition, analyzing a plugin or theme’s popularity is another way to better ensure you aren’t installing malicious code into your WordPress site, and true that.

    A plugin/theme that’s widely popular isn’t necessarily less likely to be targeted by hackers in order to exploit and break into your WP site/blog, but is more likely to be updated with security patches regularly.

  4. remove Unused Plugins and Themes

    Security Harden WordPress

    WordPress sites/blogs always will require some housekeeping and especially if the site is not secured properly.

    As you start to accumulate themes and plugins, you should go through and dispose of the ones you no longer use, because unused theme and plugins increase security risks.

    Research everyone before applying changes to your WP-site/bog and this may take up to a week of research if you have time restraints do to working hours and your play-time.

  5. Install a WordPress security plugin

    Installing a WordPress security plugin is a no-brainer when it comes to enhancing the security of your site if you choose “YOAST” and or “JETPACK”, but remember, you are taking security risks by doing this.

    YOAST and “JETPACK” plugins are updated quickly to avoid hackers exploiting WP site/blogs through their plugins.

    Proactive against security threats install a plugins to minimize any security vulnerabilities.

    Security Harden WordPress

    The wordpress program and menus offers daily site backups and restore options, SO your WP sites/blogs publication informations is safe.

    If it’s something you’d rather not have to worry about, because wordpress program will conducts automatic backups, (if you click the correct boxes in maintenance menu), for set-time day, weeks, month backup-time.

    This is the least security risk automation that you can use.

    One precaution is that maintaining a wordpress backup may use up all your limited drive space, but not unless you have unlimited disk-space on you server account.

  • Enforce Strong Passwords and Usernames

    Security Harden WordPress


    Create a complex password with letters in Upercase and lowercase, also include shift-key special characters such as these characters and numbers listed here:

    Creating an easy password that most often people use is “birth-dates in case for of alpha and or numeric”, “family-names and or your name”, “pets name”, “social-security number full and or in part”, “people, places and or things most common to you”, and anything that remotely associates to you is easily hacked by hackers to exploit you.

    You must also force users, (that you are administrator over), on your site to use a above mentioned strong password algorithm.

    You can learn PHP programming skills is best or less secure to use a WordPress plugin to enforce strong passwords.

  • Use two-factor authentication (2FA)

    In the wordpress program menuing system you will find an option to enabling “2FA plugin”.

    This adds an extra layer of security to your login credentials. 2FA works by requiring a “second factor authentication”, (2FA), sends a code to your phone to verify your account is yours being logged into.

    Services, such as, Googles, and other online services offer this and is safer; or use a plugin at your own risk.

    By doing this creates a hardened wordpress program platform for a hacker-intruder exploit your information attempting to log into your account and or through a different device.

    Here are some WordPress plugins you can use for 2FA:

    Security Harden WordPress

    Graphic Source: Google Support
    Google Authenticator
    Duo Two-Factor Authentication
    Two Factor Authentication
    Rublon 2FA

    As a WP Engine customer, you can implement Two-Factor authentication through the User Portal.

    Change or omit the “admin” username

    Security Harden WordPress

    You have your own wordpress blog-site now and you need to change automated defualt settings on your new wordpress-blog-site.

    To removing the “admin” user-name to whatever name you want that appears as a regular user-name will improving site security greatly.

    WP Engine does not allow the use of the “admin” username and will automatically remove it for you, replacing the admin name with a automated “wpengine account” name.

    This automated “wpengine account” name best option and best to use a name generator found at websites on the Internet or a stand-alone program and “at all costs avoid Worpdress Plugins”.

    Limit Login Attempts

    Security Harden WordPress

    WordPress does not have a limit as to how many times a user can guess a password in order to log in to a wordpress blog-site is not by default and nor is their a menu system.

    This presents a problem because determined hackers won’t give up.

    For example, a hacker could use a script to enter different password combinations (called brute-force attacks) until they’ve cracked the code.

    To resolve this issue by following this instruction for installing most recent plugin:

    Go to and below Search-box you will see at center-right of menu below search-box click on “Tools”, is a rectangle text-icon, and look down to the next line below and look towards center-left of menu below search-box click on “Any Time”, and at the bottom of that drop down menu click-on “Past Year”, and goto next space over beside “Past Year” option and clicked-on “Sort by relevance” and drop-down menu will show one option noted as “Sort by date”, and click on “Sort by date” and then in the Search-box type: “wordpress”+”login”+”limit” and This will bring update results by date most recent.

    NOW: You will notice search results displayed showing limited-login wordpress plugins.

    Choose a plugin at your own risk.
    Login Lockdown
    Limit Login Attempts
    • Jetpack Protect

    You can also white-list certain IP addresses (Jetpack Protect is great for this) for users who forget passwords often or have misplaced.

  • Monitor Incoming Attacks

    Counter-exploit attack log of incoming security attacks to view failed attempts. Here are a couple tools that can help you with malware monitoring:

    Sucuri Security
    • WP Security Audit Log

    To log malware scans are these tools for tighter security and an easier diagnosis of any issues that might arise.

  • Use SSL for data security

    Enabling SSL is a crucial securing a wordpress blog-site site.

    SSL, (Secure Sockets Layer), encrypts all browser traffic sent to and from your site.

    That way the private data visitors share with your site stays private.

    Using SSL ensures hackers can not see and-or intercept the browser data shared on your site.

    The secure tunnel SSL creates scrambled encrypted data especially important with sensitive information, like credit card numbers, user-names, and passwords and private conversations.

    A SSL certified site will start with an “HTTPS”://www.domain-DOT-com in the URL address, while Non-SSL will begin with “HTTP”://www.domain-DOT-com, by example.

    Hide WordPress Version From Hackers

    Security Harden WordPress

    If you defer WordPress updates, you should consider hiding your WordPress version because it leaves footprints, telling the hacker useful information about your site.

    There are three areas where your WordPress version number will be hidden:

    Try-This: You can filter to remove wordpress version number try this please in functions.php

    function wp_remove_version() {

    return ”;


    add_filter(‘the_generator’, ‘wp_remove_version’);
    remove_action(‘wp_head’, ‘wp_generator’);

    The above code will remove from head area and rss feed. Dono why you want to hide from dashboard. Anyway This may help to you…

    To-Add: open functions.php from your theme and the following code

    remove_action(‘wp_head’, ‘wp_generator’);

    To-Add: Add below code in your functions.php

    function disable_version() {
    return ”;

    remove_action(‘wp_head’, ‘wp_generator’);

    To Add: and this code you have to hide all update notifications like plugins, wordpress upgrade etc.

    function my_custom_admin_footer() {
    echo ‘<style type=”text/css”>
    #wp-admin-bar-wp-logo, #wp-admin-bar-updates, #wp-admin-bar-comments, #wp-admin-bar-new-content,
    #dashboard_right_now .b-tags,
    #dashboard_right_now .tags, #wpfooter,
    #dashboard_right_now .b-comments,
    #dashboard_right_now .comments,#dashboard_right_now .b-posts,
    #dashboard_right_now .posts,#dashboard_right_now .table_discussion, #screen-meta-links, .plugin-version-author-uri, .plugin-update-tr, .update-plugins, .update-nag, #wp-version-message, #dashboard_right_now .main p {
    add_action(‘admin_footer’, ‘my_custom_admin_footer’);
    In addition, you should also make sure your readme.html file is removed from your install, as this exposes your version number.

    At WP Engine we prevent access to this file on our platform to make fingerprinting WordPress versions more difficult.

  • relocate or rename login page

    Harden WordPress Install with Bulletproof information must be researched via your favorite search-engine:
    A.)-Relocating your login page is resourceful. Not only does it hide the fact that you’re on WordPress, but it limits brute-force attacks on your login page.

    Many plugins are out there making all this easy, but in the end making your wp-system blogsite more vulnerable to hacker-exploits.

  • secure the wp-config file

    The wp-config file contains your website’s base configuration details, like database connection information. To protect your wp-config.php file from intrusion, add the following code to your .htaccess file to deny access to anyone surfing it:

    <files wp-config.php>
    order allow,deny
    deny from all

    For more information on moving the wp-config file, see the WordPress codex.

  • Use A Secure Hosting Environment

    Regards ecurity measures of plugin/theme are always security risks in themselves.

    If you do not invest in a secure hosting provider, these efforts are all for nothing.

    First step is to Secure a Hardened WordPress.

    Make sure your plugins are always updated.

    Also, if you are not using a specific plugin, delete it from the system.

WordPress Firewall Challenge:::
There are many plugins and services that can act as a firewall for your website in order to Security Harden WordPress. Some of them work by modifying your .htaccess file and restricting some access at the Apache level, before it is processed by WordPress. A good example is iThemes Security or  toSecurity Harden WordPress with “All in One WP” Security. Some firewall plugins act at the WordPress level, like WordFence and try to filter attacks as WordPress is loading, but before it is fully processed. Besides plugins, you can also install a WAF (web firewall) at your web server to filter content before it is processed by WordPress. The most popular open source WAF is ModSecurity.

Security Harden WordPress

A firewall:::
Must be added between your hosting company and the Internet (security in the middle), by modifying your DNS records to pass-through the firewall. That causes all traffic to be filtered by the firewall before reaching your site. A few companies offer such service, like CloudFlare, Sucuri and Incapsula.

Plugins that need write access:::
If a plugin wants write access to Security Harden WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. Possible places to check are the Support Forums and IRC Channel.

Code execution plugins:::
As we said, part of the goal of hardening WordPress is containing the damage done if there is a successful attack. Plugins which allow arbitrary PHP or other code to execute from entries in a database effectively magnify the possibility of damage in the event of a successful attack. A way to avoid using such a plugin is to use custom page templates that call the function. Part of the security this affords is active only when you disallow file editing within WordPress.

Security Harden WordPress

Security Themes:::
Keep in mind some general ideas while considering security for each aspect of your system:

Limiting access:::
– Making smart choices that reduce possible entry points available to a malicious person.

– Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.

Preparation and knowledge:::
– Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.

Trusted Sources:::
– Do not get themes from untrusted sources. Restrict yourself to the repository or well known companies. Trying to get themes (or plugins) from the outside may lead to issues.

Vulnerabilities on Your Computer:::
– Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer. Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities. If you are browsing untrusted sites, we also recommend using tools like no-script (or disabling javascript/flash/java) in your browser.

Vulnerabilities in WordPress:::
– Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.
Updating WordPress

Main article: Updating WordPress:::
– The latest version of WordPress is always available from the main WordPress website at Official releases are not available from other sites — never download or install WordPress from any website other than Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates. Read the entry in the Dashboard or the WordPress Developer Blog to determine what steps you must take to update and remain secure.

If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date. If you are an administrator in charge of more than one WordPress installation, consider using Subversion to make management easier.

Reporting Security Issues:::
– If you think you have found a security flaw in WordPress, you can help by reporting the issue. See the Security FAQ for information on how to report security issues. If you think you have found a bug, report it. See Submitting Bugs for how to do this. You might have uncovered a vulnerability, or a bug that could lead to one.

Web Server Vulnerabilities:::
– The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you. If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.

Network Vulnerabilities:::
– The network on both ends — the WordPress server side and the client network side — should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network. Your web host should be making sure that their network is not compromised by attackers, and you should do the same. Network vulnerabilities can allow passwords and other sensitive information to be intercepted.

– Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords. WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.

Things to avoid when choosing a password:::
–  Any permutation of your own real name, username, company name, or name of your website.
[a]: A word from a dictionary, in any language.
[b]: A short password.
[c]: Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server. In addition to using a strong password, it’s a good idea to enable two-step authentication as an additional security measure.

– When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them. Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.


. _
. _

[#2]: Optimize WordPress Performance with the wp-config.php File: “Hardcode your Blog Address and Site Address”
. _

[#3]: 10 Steps To Secure Your WordPress Site – A Blog Post By Our Linux L3 Support Admin, Praveen

. _
[#3]: All CloudLinux innovations, such as CageFS, aim to improve security and stability on servers. So where other operating systems will allow entire servers full of customers to go down, CloudLinux stays stable by isolating the impact to the offending tenant.
. _
[#4]: Block URLs with robots.txt – Learn about robots.txt files
. . _
[#5]: Robots meta tag and X-Robots-Tag HTTP header specifications
and Block URLs with robots.txt – Test your robots.txt with the robots.txt Tester
. _
[#6]:  Authentication 1.0 for Google Accounts is going away
Some applications and websites use OAuth 1.0 for authentication when you’re signing in, and to access data that you’ve given them permission to access. OAuth 1.0 has been superseded by OAuth 2.0. Starting April 20, 2015, OAuth 1.0 will no longer work for Google Accounts. If you’ve seen a warning that’s brought you to this page, it means that you’re using an application or website with OAuth 1.0 and may be affected by this change. For more information, we recommend you visit that application’s help center, or contact its support team.If you’re a developer of an application that uses OAuth 1.0, please migrate to OAuth 2.0 by the shutdown date. Learn how to. To Add: OAuth-1.0 is flawed, become a major security breach back door for hackers, so fix it, code-authors change you plugins to OAuth-2.0, or consequences.
migrate to OAuth 2.0, and about the OAuth 1.0 end of life schedule
[#7]: File Permissions:::
– Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment. It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.

Here is one possible permission scheme:::
– All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.

The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.
The WordPress administration area: all files should be writable only by your user account.
The bulk of WordPress application logic: all files should be writable only by your user account.
User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:
Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.
Plugin files:
All files should be writable only by your user account. Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

Changing File Permissions:::
If you have shell access to your server, you can change file permissions recursively with the following command:
Directories: find /path/to/your/wordpress/install/ -type d -exec chmod 755 {}
Files:          find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;
. _
[# 8]: Securing wp-includes:::
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
BEGIN WordPress
Note that this won’t work well on Multisite, as
RewriteRule ^wp-includes/[^/]+.php$ – [F,L] would
prevent the ms-files.php file from generating images.
Omitting that line will allow the code to work, but offers less security.

If we open the wp-config.php file and look at the contents, you’ll see that it contains some sensitive information.

First, it contains all of the information that you entered during setup that gives access to your database.

WP database settings

It holds the database name, the user name, the password—everything that you need to be able to access that database. So as you can imagine, it’s very important to protect this file, because if somebody is able to read the contents of this file, they’re able to get into your database and do whatever they want.

Further down, there’s also a series of secret keys.

Secret WordPress keys

These keys work in various ways to help secure your website.

Below that, there’s the table prefix, which is another piece of very important information relevant to security.

WordPress table prefix

So there are a few steps that we’re going to go through to secure this file.

The first thing we’re going to do is generate a new set of secret keys. You can do that by going to the secret key generator website that WordPress provides. All you need to do is go to this URL and just hit refresh, and there will be a brand new set of keys generated for you. You can copy these and then paste them straight into your wp-config file, replacing the old keys.

The next thing that we’re going to do is move the wp-config file. By default, it sits inside the root folder of your website. So that will be inside your public HTML folder, if your site is on your main domain, or inside whichever subdirectory you’re building your site in. But WordPress actually allows you to take that wp-config file and move it up one level, so it’s outside your public folder.

If you’re working offline, you can simply drag and drop this file, but in your online setup, you can use the move tool in your file manager. So just select your wp-config file, hit the move tool, and then change the directory that you want to have the file put into.

If this doesn’t work the first time, you may have to talk to your host and make sure that your server is set up in a way that is going to allow this.

Now we can add just one more security measure to help protect our wp-config file, and that is to add an htaccess file in the same directory to block anybody from accessing wp-config.php.

So in the same directory as your wp-config file, create an htaccess file. You can’t create a file with no extension, so here’s a workaround.

If you’re on a Mac, start by creating a plain text file called htaccess.txt. Then rename it, trimming the file extension off the end and adding a dot in front of it, so that the name is .htaccess.

Now we just confirm, but it’s still not fully applied yet, so what we also need to do is right-click on the file in Finder, choose Get Info, and then trim the .txt extension off the end in the Name & Extension field.



<files wp-config.php>
order allow,deny
deny from all


Leave a Reply

Your email address will not be published.