Improving WordPress SecurityIt is well known that WordPress (WP) is the most popular Content Management System (CMS) on the World Wide Web. Developed with PHP, and powered by mySQL databases, WordPress is used by an astonishing 8.5% of all websites. Web delivered malware and website cracking are becoming increasingly common. With such a large percentage of web content using WordPress as a CMS, any security vulnerabilities in WordPress’ coding or framework could affect millions of websites. In this article, I’ll explain how you can best protect your WordPress developed website from malware and cracking.

Audit Overall Work Station Security

First of all, make sure that any and all PCs and web servers you use are kept properly secure. Make sure you’re running the most recent release of your favorite web browser, and make sure that it’s set to automatically patch. Do the same with your antivirus software and operating systems. Make sure that all authentication vectors you use have secure passwords which are changed every so often. Scan your PCs and servers for malware, frequently. Make sure you use proper firewalls- at the OS level, at the router level and at the ISP level, if at all possible. Any security holes outside of WordPress, in software and hardware you use with it, can affect the CMS itself. It’d be sad to create a really secure password for your WordPress admin account, only to find out a keylogger defeated all of your effort.

Keep WordPress Updated

Then, the next step is to make sure you always have the most recent version of WordPress installed. Updating WordPress is relatively quick and easy, and can be done through the WordPress panel in your web browser. If the most recent version of WordPress is incompatible with the versions of PHP and mySQL installed in your web server or web host, I strongly recommend you go to the effort to upgrade those to ensure your version of WordPress is up to date. Obsolete versions of WordPress will no longer get security patches, much the same way that older OSes see support expiration.

Report Bugs and Vulnerabilities

If you ever discover security vulnerabilities on your own, do the community a favor by sending a detailed e-mail to If the vulnerability is in a plug-in instead, e-mail You would want other web developers to report loopholes that may affect your website, so treat others as you would like to be treated! Just avoid writing about those newly discovered vulnerabilities on the web or on social networking sites, so that information doesn’t fall into the wrong hands.

Check For Exploits

Every so often, run a scan using your Acunetix Web Vulnerability Scanner, or from your Acunetix Online Vulnerability Scanner account to check for indications of vulnerabilities or malicious activity. Acunetix scans do not directly repair any issues, but they will provide you with easy solutions to fix those web security/configuration issues.

Disable Custom HTML When Possible

WordPress can use custom HTML for various functions. If that isn’t absolutely necessary for the form and function of your website, you may want to disable unfiltered HTML by adding “define( ‘DISALLOW_UNFILTERED_HTML’, true ); “ to your wp-config.php file.

Don’t Look Brand New

Remove all default posts and comments. If malicious hackers find those on your site, it may indicate to them you have a new WordPress site, and brand new sites are often easier to hack.

It’s easier to hack a WordPress site when you know which version is installed, so be sure to hide it from everywhere except the admin area. Be sure to remove information related to your Theme too.

Also, remove all instances of “Powered by WordPress” footers, as crackers use the phrase to find sites to crack into via search engines. That footer also indicates new WordPress sites, or sites developed by newbies, whether or not that actually applies to you.

Change a couple of the file and directory name defaults. Go to Settings > miscellaneous in your admin console and change the names of “wp-content/ directory “ and “wp-comments-post.php”. Make sure to change the template URL within the template and “wp-comments-post.php” accordingly, to maintain the function of your site.

Hide Indexes

Be sure to disable public access to indexes whenever possible. If people can find the files in your site’s “wp-content/plugins/” directory without being authenticated, it’s a lot easier to crack into your site through plug-in vulnerbilities. If your web server runs Apache or another OS that uses .htacess files, it’s simple to do. Find the .htaccess configuration file in your site’s main directory. That’s the directory that contains “index.php”. Insert the text “Options -Indexes” anywhere in the file. Alternatively, if you can’t alter a .htaccess file, upload an “index.html” file into your main directory. You could make that web page have a similar look to your site’s PHP web pages and insert a hyperlink to your “index.php” file if you’d like. But obviously, in a site that uses WordPress as a CMS, visitors won’t see your “index.html” file unless they type a specific path to it in their web browser address bar. Alternatively, you could make your “index.html” file a 0 byte placeholder.

In case your web server ever has problems computing PHP files, it’s crucial to block directories that are only accessed by your server. If the PHP source code is ever displayed in a visitor’s web browser rather than the web page it’s supposed to render, they may find database credentials or in depth information about the PHP/mySQL programming of your site. Your site’s “wp-includes/ “ directory is the most important one to block. Find the .htaccess file there and insert:

“RewriteRule ^(wp-includes)/.*$ ./ [NC,R=301,L]”

If there are or will be subdirectories of “wp-includes/”, insert the following code for each one in the same .htaccess configuration file:

“RewriteRule ^(wp-includes|subdirectory-name-here)/.*$ ./ [NC,R=301,L]”

Back It Up!

Ensure that you back up your WordPress site often. That are various plugins that allow you to this easily and automatically so if something were to ever happen, you will be able to easily restore your site.

Install Other Useful Security Plug-Ins

There are a number of WordPress plug-ins that I recommend you install and use. When used properly, they can harden your WordPress site very effectively.

To prevent man-in-the-middle cracks to find your login credentials, be sure to encrypt your login packets with Login Encryption. That plugin uses both DEA and RSA algorithms for enhanced security.

Installing Plug-ins from the Admin Panel

Configure the Limit Login Attempts plugin to prevent brute-force attacks.  With the plugin, you can set a maximum number of login attempts, and also set the duration of lockouts in between.

The User Locker plugin works in a similar way.  With it, you can set a maximum number of invalid authentication attempts before the account is locked.

There’s also an excellent plug-in for securing your entire admin panel. Try Admin SSL Secure Plugin to encrypt your panel with SSL.

Another excellent plug-in for securing your site’s login is Chap Secure Login. By using that plugin, all of your login credentials, except for usernames, will be encrypted with the Chap protocol and SHA-256 algorithm.

As mentioned before, it’s an excellent idea to change as many WordPress defaults as possible. With Stealth Login, you can create custom URLs for logging in and out of your site.

WordPress sites are frequently targeted by spambots. I have to spend a lot of time going through comments on my site, and the majority of my pending comments have to be marked as spam. Imagine what those spambots can do to your site, beyond giving you a lot of tedious extra work! For that reason, I recommend installing Bad Behavior on your site.  By logging your site’s HTTP requests, you can better troubleshoot spambot issues. Furthermore, the plugin will limit access to your site when a bot hits it.

With Bad Behavior, you can also use User Spam Remover.  It will remove unused user accounts on your site. You can set an age threshold to those settings and you can also configure a whitelist..

When you choose and install plug-ins on your site, also be sure to only install plugins offered through your admin panel or under the plug-in directory at Outside plug-ins may be secure, but it’s best to mitigate the risk. Officially released plug-ins are audited for security and scanned for malware.

Keeping your WordPress site hardened for security is an ongoing responsibility, just like all other areas of IT and development security. You can’t just configure a number of settings or programs and then forget about it. Your WordPress site should be on a schedule for malware and vulnerability scanning, and logs should be kept and analyzed.

By keeping your WordPress site secure, you’re doing your part to prevent malicious activity that could not only harm websites, but also web servers and user’s PCs, tablets and smartphone devices. As WordPress is such a common CMS on the web, knowledge about the design and configuration of the console is readily available, and certain hacks could work on perhaps millions of websites. Fortunately, knowledge about WordPress security is abundant, for much the same reasons. In the ongoing maintenance of your website and web server, always be security minded. You can then have proper control over your web content, and do your part to make the Internet a better place.

Kim Crawley is a security researcher for InfoSec Institute. InfoSec Institute is an IT security training company that provides popular web app pen testing classes.


Infographic : History of WordPress
N.S Gautham Raj

Hardening WordPress,

6 simple steps to hardening WordPress
Sam Devol

Hardening WordPress Security: 25 Essential Plugins + Tips
Daniel Smeek

How to Stop Your WordPress Blog Getting Hacked
David, SEM Labs

Hardening WordPress Security
Brian Haddock

6 Tips to Secure WordPress from Hackers
John Phillips

Vulnerability Report: WordPress 3.x


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.