There are some basic steps you can take to help limit your exposure to malicious behavior directed at your WordPress install. My intention with this article is not to make your website bullet-proof (if such a thing exists) but to cover the most common exploits/weaknesses. File and directory permissions have been discussed elsewhere but I’ll post a reminder about the basic rule-of-thumb: Set files to 644 and directories to 755. If you have to use less secure settings (for /wp-content/uploads/ for example) you don’t have a good host.
Failure to do the following doesn’t mean your blog will be hacked, it just means it’s more likely. So here we go:
..Cover your privates (or: “Nice knickers there!”)…
- Delete unnecessary files /wp-admin/install.php and /wp-admin/upgrade.php ((Once you are finished with the installation or upgrade these files will not be needed and they will be replaced with your next install/upgrade))
- Delete default post and comment ((advertises “New Blog! Come SPAM me!”))
- Make it harder to reveal your SQL login info and help prevent users browsing where they shouldn’t: In your root directory (where wp-config.php resides) make sure there is a .htaccess file containing the following ((Turns off ftp-style browsing;Only recognize index.php index.html as legitimate index files;Don’t allow ANY remote access to wp-config.php)):
Options -Indexes
DirectoryIndex index.php index.html
Order Deny,Allow
Deny from all
- Change permissions for wp-config.php to 600 (equivalent to rw——-) if possible ((One of the few exceptions to the standard 644 rule))
- Prevent browsing of directories not covered by WordPress: Drop an empty (0-byte) file named index.html in /wp-content/plugins/ or /wp-content/uploads/ (for example) ((The reason we use .html instead of .php is in case PHP breaks on the server we’re still covered at the HTTP level))
- For SPAM prevention, activate Akismet ((Akismet is great at weeding out spam comments)) (comes with WordPress) and install/activate Bad Behavior ((Bad Behavior stops a lot of spam/malicious-activity before it ever hits your site)) These two plugins are the minimum in spam prevention in my opinion, but feel free to experiment on your own.
Other considerations for security are your choice in a host. I recommend a professional:
As always: Feedback welcome!

Sam,
Love the new look of your site!
Regards,
J. Pisano -mustech.net
Thanks Joe! I was going to post about it but caught up in tweaking, etc., etc.
Turned off no-follow too (don’t know why I didn’t do that earlier).
thanks for this, i have just completed all the steps you listed except for step 3.
could you tell me exactly where i should insert the following in the htaccess file?
Options -Indexes
DirectoryIndex index.php index.html
Order Deny,Allow
Deny from all
Hi Martin:
Here’s a copy of my current .htaccess file sans gzip and a php5 AddHandler:
Options -Indexes
Options +FollowSymLinks
DirectoryIndex index.php index.html
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Order Deny,Allow
Deny from all
thanks Sam, i have added it to my htaccess.
Thanks for the great “tutorial” 🙂
With that htaccess file above, can I just add the bottom part starting at and be a bit more safe?
Nice tutorial for who is new to WordPress.
Thanks, i usually use mod_security to gain maximum security for any site…but .htaccess and other tools are always welcome…nice mini tutorial, with easy doable steps….cheers mate.
Are there any tools that can automatically check to see if the WP installation has had any extra spam files added etc. One of my sites has been delisted at google because somehow 4152 spam url’s / files had been added in the wp-includes/js/tinymce/themes/advanced/images/xp/ directory.
It would be neat if there was a diff function from the known good WP to the installed WP also some sort of recursive keyword search on the whole installation would be good.
thank for the tutorial..
Check out my step-by-step guide for hardening WordPress 2.9.2
http://eyalestrin.blogspot.com/2010/05/hardening-guide-for-wordpress-292.html