How to Secure Your WordPress Site

So how do you stop your WordPress site from being. Follow our guide on how to secure your WordPress site.

Force SSL Usage

To protect against data being intercepted use SSL connections to access the admin area of the blog. Forcing WordPress to use SSL is possible but not all hosting services allow Hide WP you to use SSL. Once you’ve checked that your Web server can handle SSL, simply open your wp-config.phpfile (located at the root of your WordPress installation), and paste the following:

define(‘FORCE_SSL_ADMIN’, true);

Use.htaccess to protect the wp-config File

The wp-config.php is one of the most important files on your blog. This file contains all of the information required to access your precious database: username, password, server name and so on. Protecting the wp-config.php file is critical.

The .htaccess file is located at the root your WordPress installation. Open it up, and paste the following code ALWAYS CREATE A BACKUP OF THIS FILE BEFORE EDITING:

<files wp-config.php>

order allow,deny

deny from all


How the code works

.htaccess files are powerful and one of the best tools to prevent unwanted access to your files. In this code, we have simply created a rule that prevents any access to the wp-admin.php file, thus ensuring that no evil bots can access it.

Protect Your WordPress Blog from Script Injections

Masterman Enterprises always protects GET and POST requests, but sometimes this is not enough. You should also protect your blog against script injections and any attempt to modify the PHP GLOBALS and _REQUESTvariables.

The code below blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file ALWAYS CREATE A BACKUP OF THIS FILE BEFORE EDITING.

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

What the code above is checking whether the request contains a <script> and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.

Hide login page error feedback

Remove your error feedback to stop anyone from testing potential logins.

See, normally when you try to login and mess something up, WordPress shows a sentence or two either explaining that your username or your password is incorrect. While this is helpful for you and your site’s members, it’s also helpful for anyone trying to do bad things to your site.

Luckily it’s just a simple addition to your theme’s functions.php file in order to get rid of this info ALWAYS CREATE A BACKUP OF THIS FILE BEFORE EDITING:

add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

Prevent Directory Browsing

By default a lot of hosts allow directory listing. To see if yours is type: the browser’s address bar, you’ll see all of the files in that directory. This is definitely a security risk, because a hacker could see the last time that files were modified and access them.

Just add the following to the Apache configuration or your.htaccess file ALWAYS CREATE A BACKUP OF THIS FILE BEFORE EDITING.

Options -Indexes

Secure WordPress Database

  1. Create and grant limited access to a database user. Create a user to access this database only and grant limited access to SQL commands on this database (select, insert, delete, update, create, drop and alter).
  2. Pick a strong database password. It can be as random as possible because you don’t have to remember it.

Hide WordPress Version in the Header Tag

Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code.

Leave a Reply

Your email address will not be published. Required fields are marked *