Ekto gammit

6 Simple Steps to Hardening WordPress

There are some basic steps you can take to help limit your exposure to malicious behavior directed at your WordPress install. My intention with this article is not to make your website bullet-proof (if such a thing exists) but to cover the most common exploits/weaknesses. File and directory permissions have been discussed elsewhere but I’ll post a reminder about the basic rule-of-thumb: Set files to 644 and directories to 755. If you have to use less secure settings (for /wp-content/uploads/ for example) you don’t have a good host.

Failure to do the following doesn’t mean your blog will be hacked, it just means it’s more likely. So here we go:
..Cover your privates (or: “Nice knickers there!”)…

  1. Delete unnecessary files /wp-admin/install.php and /wp-admin/upgrade.php ((Once you are finished with the installation or upgrade these files will not be needed and they will be replaced with your next install/upgrade))
  2. Delete default post and comment ((advertises “New Blog! Come SPAM me!”))
  3. Make it harder to reveal your SQL login info and help prevent users browsing where they shouldn’t: In your root directory (where wp-config.php resides) make sure there is a .htaccess file containing the following ((Turns off ftp-style browsing;Only recognize index.php index.html as legitimate index files;Don’t allow ANY remote access to wp-config.php)):
    Options -Indexes
    DirectoryIndex index.php index.html
    Order Deny,Allow
    Deny from all
  4. Change permissions for wp-config.php to 600 (equivalent to rw——-) if possible ((One of the few exceptions to the standard 644 rule))
  5. Prevent browsing of directories not covered by WordPress: Drop an empty (0-byte) file named index.html in /wp-content/plugins/ or /wp-content/uploads/ (for example) ((The reason we use .html instead of .php is in case PHP breaks on the server we’re still covered at the HTTP level))
  6. For SPAM prevention, activate Akismet ((Akismet is great at weeding out spam comments)) (comes with WordPress) and install/activate Bad Behavior ((Bad Behavior stops a lot of spam/malicious-activity before it ever hits your site)) These two plugins are the minimum in spam prevention in my opinion, but feel free to experiment on your own.

Other considerations for security are your choice in a host. I recommend a professional:

As always: Feedback welcome!

Tagged with: , , , , , , , , , ,
Posted in Computers, Things, WordPress
12 comments on “6 Simple Steps to Hardening WordPress
  1. J. Pisano says:


    Love the new look of your site!


    J. Pisano -mustech.net

  2. Sam says:

    Thanks Joe! I was going to post about it but caught up in tweaking, etc., etc.

    Turned off no-follow too (don’t know why I didn’t do that earlier).

  3. Martin says:

    thanks for this, i have just completed all the steps you listed except for step 3.

    could you tell me exactly where i should insert the following in the htaccess file?

    Options -Indexes
    DirectoryIndex index.php index.html

    Order Deny,Allow
    Deny from all

  4. Sam says:

    Hi Martin:

    Here’s a copy of my current .htaccess file sans gzip and a php5 AddHandler:

    Options -Indexes
    Options +FollowSymLinks
    DirectoryIndex index.php index.html
    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    Order Deny,Allow
    Deny from all

  5. Martin says:

    thanks Sam, i have added it to my htaccess.

  6. senlin says:

    Thanks for the great “tutorial” 🙂

  7. Website Reviews says:

    With that htaccess file above, can I just add the bottom part starting at and be a bit more safe?

  8. Tommy says:

    Nice tutorial for who is new to WordPress.

  9. Jerry Eflow says:

    Thanks, i usually use mod_security to gain maximum security for any site…but .htaccess and other tools are always welcome…nice mini tutorial, with easy doable steps….cheers mate.

  10. Geoff says:

    Are there any tools that can automatically check to see if the WP installation has had any extra spam files added etc. One of my sites has been delisted at google because somehow 4152 spam url’s / files had been added in the wp-includes/js/tinymce/themes/advanced/images/xp/ directory.

    It would be neat if there was a diff function from the known good WP to the installed WP also some sort of recursive keyword search on the whole installation would be good.

  11. Equal says:

    thank for the tutorial..

  12. Eyal Estrin says:

    Check out my step-by-step guide for hardening WordPress 2.9.2

3 Pings/Trackbacks for "6 Simple Steps to Hardening WordPress"
  1. […] 6 simple steps to hardening WordPress […]

  2. Piet Bos dot ME » links for 2008-10-03 says:

    […] Sam Devol:6 simple steps to hardening WordPress (tags: WordPress security) […]

  3. Migration complete | Matt40k says:

    […] next problem which actually caused me downtime was the fact I was harderning my WordPress install and ended up deny access for everyone, which caused my HTTP monitoring to […]

Leave a Reply

Your email address will not be published.