Securing your WordPress site

Securing your WordPress site

25 November 2014 by in Hosting Security

WordPress is a very popular CMS (Content Management System) used by more than 20 percent of all websites on the internet. Unfortunately, because of its popularity, it may fall victim to attacks by hackers if you don’t protect your WordPress installation. In this blog article we’ll give you some tips and tricks we recommend to secure your WordPress site.

How to secure your WordPress site

Backup your WordPress site

It’s important to keep backups of your website for several reasons. You can restore your website if a problem occurs while updating WordPress and its plugins, if you make a change that causes problems, or should your website get hacked.

Backing up your WordPress site consists of two parts: backing up files and backing up the database. You can easily backup your files by downloading them with an FTP client (like FileZilla). Backing up your database is a little bit more difficult; you can use phpMyAdmin, if installed on your webserver. You can also use a WordPress plugin like WP-DB-Backup or WP-DBManager.

Use a different database table prefix

During the installation, it’s possible to tell WordPress what table prefix you want to use in the database. By default it’s “wp_”, but it’s wise to change this to something else. This way, you make it more difficult for hackers to use SQL injection attacks.

If you’ve already installed WordPress, it’s still possible to change table prefix by using a plugin or doing it manually in the database and wp-config.php. However, this is not something we recommend since there’s a chance it will break your site.


Keep your WordPress site up-to-date

The most important thing you can do to keep your website safe is to make sure you keep WordPress and its plugins up-to-date. Because WordPress is so popular, lots of hackers are looking for security issues in WordPress they can exploit.

By default, since WordPress 3.7, every site has automatic updates enabled for minor releases. So you still have to make sure you manually update the plugins and WordPress when a major update gets released. If you have disabled the automatic update feature, we recommend enabling it again; the chance the minor updates break something on your website is very small.

wp-login.php and wp-admin

Hackers will try to get into the admin section of WordPress sites using brute force attacks. They do this using the default username “admin”, so it’s best to change the admin username to something else. It’s also important to use a strong password with a length of at least 8 characters, containing lowercase and uppercase letters, numbers and symbols.

Hackers will keep trying to get in, sometimes to a degree that it puts a higher load on your server. To put an end to this you can install a plugin called BruteProtect. BruteProtect logs and blocks the IP addresses that attack your site across the entire BruteProtect network (your site included). This way even distributed brute force attacks will be blocked.


XMLRPC Pingback

Pingback is a feature used by blogs and is enabled by default in WordPress. Pingback allows your website to send notifications to other blogs. You can find more information on Pingback here. This feature, however, can also be abused by hackers to launch a DDoS attack against other sites. When this occurs, your own site may become slow and cause a high load on your webserver.

To protect your site from these attacks you can use a plugin called Disable XML-RPC Pingback. You can find more information on the XMLRPC Pingback vulnerability here.


It’s best to lock down your file permissions as much as possible. WordPress recommends 755 for directories and 644 for files (for Linux/Unix systems). You can do this with your FTP client (like FileZilla), usually by right clicking the files and folders and editing the permissions. If you have SSH access to your webserver, you can change the file permissions using the following commands:

For directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
For files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

More security for WordPress

We recommend you start with the methods described above, but there are many more ways to improve secure your WordPress site. If you’re interested, you might want to check out the Hardening WordPress page on the WordPress site.

Call me back