First: WordPress Security

One of the reasons I have shied away from WordPress is the fact it is “open source” and widely used. In my opinion (based on 24+ years in the web making business), open source is the first issue because the WordPress code is open and available to the public — including open to those with less than reputable motives. For some reason, there are people who want to break the code and attack websites for no other reason than “they can.” Others will (do) attack websites to steal information, infect visitors or even redirect readers to other websites for nefarious reasons.

To me, another security risk factor is that WordPress is — by far — the most used blogging/web-publishing platform on the internet today. The fact that so many websites use the open source coding is a huge motivator to those who seek to do harm. By cracking one program, a “hacker” can affect millions of unprotected websites around the world, which is/was kind of a deal breaker for me.

When I decided that I was going to use WordPress for my websites, I also decided that I would do everything I could to make it as secure as possible. I know I’ll never underestimate the brilliance of the dedicated coder — but I can do what I can to keep my site safe from the hack-bots and creepy crawlers of the world-wide-web.

I am hosting my own WordPress files, code, and database. For MOST users who use a service like, GoDaddy, or other hosted services, the security is built in at the host level and most of my concerns are addressed. Folks who use hosting services should look into methods of backing up all files including photos and other media and even the database, which I will get into later. For me, I’ll be keeping a local (on my own computer) version of all files, folders, and database at all times. This way, if my hosting service should wake up dead one morning (which has happened to me twice), I can easily deploy everything on a new server in a few hours.

After I installed WordPress and the associated database, I immediately changed all my passwords to ones that are difficult to figure out, using a combination of capital letters, numbers and special characters. I allowed my browser to remember these passwords on my computer since it too is password protected.

After I configured my email to work properly, I tested the site by logging onto it online (no errors) and posted my first test post (no errors). I went back into the WordPress settings and checked “auto update.” This is very important!

Up To Date WordPress & Plugins

The most common hacks or injections on WordPress happen because of outdated software, themes or plugins. Your trusted software developers are constantly updating the software to keep it safe and counteract the efforts of would-be hackers. You should always keep everything up to date and current. The latest version of WordPress is always available on the main website at and your plugin developers should have the same. WordPress is set to auto update by default. You can check the status by logging onto your dashboard and clicking the update tab on the left ({yoursite}/wp-admin/update-core.php).

Strong Password

The next most common way hackers find their way into your website is by figuring out your password. They have little programs that run through thousands of possibilities to attempt to gain access to your beloved files. A strong password in an important aspect of securing your application from would-be wrongdoers. A strong password is not only necessary to protect your blog content, but it also prevents hackers from installing malicious code and scripts that can potentially compromise the entire server.

Things to avoid when choosing a password.
   Any permutation of your own real name, username, company name, or name of your website.
    A word from a dictionary, in any language.
    A short password.
    Any numeric-only or alphabetic-only password (a mixture of both is best). 

As I said, I prefer passwords that are difficult to figure out, using a combination of capital letters, numbers and special characters.

File and Folder Permissions

IF there is no need to install any plugins, no need to use the theme editor, nor install any WordPress updates, the ONLY folder that required write permissions is the /wp-content/uploads/ folder (for images/media). Everything else should have read access only.

If you want/need to allow plugin install/updates, you need to allow write permissions to the /wp-content/plugins/ folder.

If you want/need to allow the use of the theme editor — including theme updates — then you also have to allow write permissions on the /wp-content/themes/ folder. Note: If you only edit/add themes and plugins rarely, it is good practice to remove the write edit permissions once you are finished making your changes.

All said; if you want to allow that “auto-update” feature of WordPress to keep everything up to date at all times, you will need to give read/write permissions on the root folder. This is the least secure option but also the most common way to install it — mostly for convenience. Alternatively, you can edit the permissions for all of the above back to write only (except the uploads folder) if you wish to achieve the highest level of security possible.

All said: The above applies to outside attacks – if your password is compromised, then none of the efforts above will make any difference at all.

Note: I will be working on a schema using Adobe Dreamweaver to modify my installation and only upload the modified files, eliminating the need to continually modify folder permission on the live server. More to come on that — link when it’s complete.

Hide the wp-config.php file

This is a hacker magnet, a file that holds a lot of very sensitive information about the installation of WordPress on your server. Up to and including your database password (YIPES). I found a great article about how to move this to another location for safe keeping… “Harden WordPress Security By Moving wp-config.php to a Non-public Folder” By Jack Busch

Disable File Editing

Speaking of the wp-config.php file, you are able to use this file (now in a top secret location) to prevent people from editing the pages in your folder/website. See, the WordPress dashboard allows administrators to edit PHP files directly from the dashboard and this is often a tool an attacker will use should they gain access to your login (not possible because you have an incredibly strong password). This gets a little tricky but all you have to do is edit the wp-config.php by adding this line and is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:

define('DISALLOW_FILE_EDIT', true);

This will not prevent an attacker from uploading malicious files to your site but might stop some attacks.

Delete the default “admin” account

When your WordPress website is created, by default, the first account created is the admin account (which has FULL access to all settings).

On a brand new install, you can simply create a new Administrative account and delete the one created by default.

On an existing WordPress installation, you may rename the existing account in the MySQL command-line client with a command like UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin’;,  — or by using a MySQL frontend like phpMyAdmin.

Change the table_prefix

Since every installation of WordPress is exactly the same, intruders know what the table names are in your database. They all have a prefix of “wp_” by default. By changing the prefix of the tables, you are making it much more difficult for attackers to exploit some SQL injection attacks. It is best to do this during the initial installation.

Backup everything regularly!

Backup your entire website, including the folder structure using your favorite FTP program. You also want to keep a complete backup of your database. In high-value situations, especially with many contributors, you’re going to want to backup very often, once or more per day. For the casual blogger, once a month should be fine but the more often the better.

Keep your backups organized. For example, if you are backing up every day, create a folder with the structure…


This way you will always know what the latest backup is and make it easier to clean up the folder periodically.

That said, if you are administering a large WordPress website, you should look into automating the backup process for both the FTP and database elements of your site.

Be wary of Phishing expeditions…

Since everyone knows you’re using WordPress, and most installations are exactly the same, it’s very easy for a bad actor to compose an email that looks like it legitimately came from your own website. Be wary of urgent messages, especially with links from “your server.” When in doubt, don’t click on anything on the email, go directly to your dashboard and check everything out on your own. It may be confusing because there’s nothing wrong, but of course there’s not, the email likely came from another country, completely unrelated to your installation of WordPress.


The time to think about security at the beginning, but also in the middle and end. Setting a great security foundation from which to build your creative outlet will pay off in the long run. Protect yourself, your server, and even your readers and subscribers by instituting a tangible website protection policy from the moment it is deployed.