Keep your WordPress wp-admin safe. The best wordpress security tricks, tips and plug-ins that all wordpress users should know.
Updated Nov 30, 2011: WordPress is becoming more then a great blog its becoming in my opinion the best CMS out there. Its open source and there are thousands of themes, plugins and modifications.
The only downfall is since its so popular it is also targeted and very popular by hackers, spammers and bots who are trying to gain access to your WP-Admin or post spam on your site. I wrote this article on what in my opinion are the best tools, tips and plugins to keep your wordpress site/blog safe from hackers and keep them out of your wp-admin. Now before you start with my tips I suggest taking a backup of your wordpress site, if you are careful and know what you are doing chances are you will not have any issues but its always a good idea. The best plugin for this I would say is the BackUpWordPress plugin, located here on the wordpress site.
This guide is for users who at least know how to edit files and access a FTP, but to make it easy I have included .zip files of the modified codes so you can just drag and drop. Enjoy!
Newbie to wordpress? Dont have time to make all these manual changes? See my Automated method of protecting your wordpress install [here]
Tip #1 – Keep your wordpress up to date! -or- Remove the Version Number
Wordpress is constantly getting updated, and in most cases the updates are for security. Bots and hackers will search for outdated versions of wordpress since they will be easier to hack. So keep your wordpress up to date!
If you cant find time to do this, there is a trick to removing the wordpress version from your site. First login to your file manager/ftp and access your current theme folder (/wp-content/themes/yourtheme) then find the file named ‘functions.php‘ save that to your computer and edit it, copy and paste at the top this code:
Tip #2 – Remove ‘admin’ username
90% Of the attackers are relying on the fact that you used the default ‘admin’ user name for your admin account. From now on when you install wordpress instead of having the default name/login as admin change it to something more discrete even your name. This way now the attackers will not only have to figure out your password but your name. If you are already using the admin as your login go to your ‘users’ in your dashboard, create a new user and assign them as an admin. Once complete erase your old ‘admin’ user but make sure you assign all posts/topics to your new user or they will be erased!
Advanced Method: If you know phpMyAdmin there is a better way. Login to your phpMyAdmin, locate your WP installation, and click on the SQL tab, then run the query (change ‘New Username’ to your desired name):
UPDATE wp_users SET user_login = ‘New Username’ WHERE user_login = ‘Admin’;
Tip #3 – Make sure you have a strong password
Make sure your password is strong, this is a obvious one but so many people do not have strong passwords. Your password should have letters & numbers, upper case & lower case as well as special characters in it. A tip for making it simple is I use geek type. Such as “temppassword” can be made very strong by changing it to “Tempp@$$w0rd” for example. Replace a’s with @’s and o’s with zeros and s’ with $’s for example. I just find this a lot easier then remembering random special characters, I make a word out of them. To test the strength of your password check out this link here, it should be rated as strong at a minimum.
Tip #4 – Add index.php files to your directories (help protect your “uploads folder)
I have a ‘index.php‘ file in each of my admin directories such as the ‘wp-content’, ‘uploads’, ‘themes’ & ‘plugins’ folder. The reason for this is to again make it more difficult for potential hackers to find what plugins/themes and what wordpress version you are running also makes it difficult to browse any files. This is super simple to do just create a new text document, copy and paste in these lines of code:
<?php // Nothing to see here. ?>
Then save the file as ‘index.php‘ and upload it to the folders I mentioned above. If you are feeling lazy click here to download the .php file I made, just unzip the file and upload it!
Tip #5 – Check your chmod & file permissions
First if your asking your self “ch what?” check this link to explain file permissions and chmod settings. When first setting up plugins or editing files you might have to change the permissions to 777 (read, execute and write), make sure you change them back to 644 (read only) or what ever they were or you are just leaving your site open to anyone and everyone. When ever possible try not to leave or set any folders to 777, lots of people will just chmod everything including files to 777 when trying to solve an issue, this is the wrong way, you should go file by file and permission by permission working your way up to 777, lots of the time chmod setting 755 (read and execute) will suffice and this is OK. If the worst case scenario does come up and the only option is setting the permissions to 777 make sure you have a index.php file (as above in tip #3) in the folder where you made these changes, that will make it so that people cannot browse and view/download all the files in that directory potentially finding a way to hack into your site.
Summary of WP CHMOD/File Permissions:
- All directories should be 755 or 750.
- All files should be 644 or 640. Exception: wp-config.php should be 600 to prevent other users on the server from reading it.
- No directories should ever be given 777, even upload directories!!! Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.
Tip #6 – Create a wp-admin .htaccess file
This is probably the best and most important method in my opinion. Since we are trying to keep hackers/bots out of the wp-admin area why not just not allow access from anyone but your self? Yes we can do that, and its quite easy! Again open a text editor, create a new file and insert these lines of code:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Example Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from 25.73.284.129 allow from 126.96.36.199 </LIMIT>
What this is doing is denying access to the wp-admin folder and when someone trys to access it via (www.yourdomain.com/wp-admin) it will give them a 404 error screen unless their IP is added to the ‘allow from‘ line. Now you need to figure out what your IP address is (use this link to help) copy and paste your IP and replace the fake ip that I have put in the file. If you access your wordpress site from multiple computers you can add more then one IP as you see above in a new line, if you only access from one computer erase the second line. Once you have done this save the file as ‘.htaccess‘ and upload it to your ‘wp-admin‘ folder. Your done. Again If you are feeling lazy click here to download the .htaccess file I made, just unzip the file and upload it! If you cant see the .htaccess file click here.
Tip #7 – Protect Files with .htaccess – Protect your WP-CONFIG.php File
You can protect files and directories with your .htaccess file in your root, but the most important is the wp-config file. Your wp-config file is the “brain” of your wordpress installation. If someone gained access to this they could take down your entire site. To protect your wp-config.php file the best route again is with a .htaccess edit. Simply add the following code in your roots .htaccess file:
# SECURE WP-CONFIG.PHP <Files wp\-config\.php> Order Deny,Allow Deny from all </Files>
Tip #8 – Install the Invisible Defender Plugin (Best Anti-Spam Plug-in Period)
This is an awesome plugin. This plugin protects your registration, login and comment forms against spambots. Not only does it protect your files and login from hackers/bots it is also the best spam protection that I have ever used for wordpress. This is the only protection I use on my sites for spam and it works flawlessly, I have never had a spam message posted (knock on wood) by a bot. What it does is it adds two hidden fields that spam bots or scripts will fill in, then its trigged spam and they cant post, a normal visitor would not see these fields there for they would not fill them in, allow the message to be posted. It does the same for the wp-login and wp-admin sections of the site. It also shows you how many attempts it has saved. Download it here. Install it like you would any other plug-in.
Tip #9 – Install the Stealth Login Plugin
If you have already completed the steps above this is not necessary since we already have implemented a method to keep users out of your wp-admin section (the .htaccess fix). If you want to be extra safe why not, what this plugin does is changes the url of the login. So instead of having www.yourdomain.com/wp-admin you can have www.yourdomain.com/getinthere or something discreet that people will not guess or you can even use www.yourdomain.com/login to keep it simple for clients or yourself. What this now does is again 90% of the time they are targeting your /wp-admin login page, but it will not be found since you have changed it. Click here to go to the wordpress site to download the plugin.
Tip #10 – Test the security of your WordPress with WP Security Scan
There is a great tool (once you have completed the steps above) this will test your installation of wordpress to make sure its secure. It Scans your WordPress installation for security vulnerabilities and suggests corrective actions. Click here to go to the wordpress site to download the plugin. Again just install it as you normally would then access the “Security” button from your dashboard.
Automated Alternative Method:
Best WordPress Security Plugins
Quick and Effective Route That Anyone Can Do
Secure WordPress Plugin & BullettProof Security
I always think doing manual edits as my tips above is by far the best way to protect your wordpress installation. Of course doing all the tips I have provided is a great idea (I do them) it might also be a bit excessive. Chances are hackers are going to target those sites that are out-dated, or are fully open (777 permissions) so even if you keep your site updated and dont have any files set to 777 you should be ok as hackers wont bother spending time getting around your site UNLESS they really want to.
Another method is to use a plugin to make some security changes to your wordpress site. This is an automated system, so it might not always work 100% and also keep in mind hackers have access to this plugin so they know all the edits it makes. But again like I said above if you even take any steps to secure your site it makes the job more difficult for potential intruders causing them in most cases to move on to the next (easier) site.
Secure WordPress Plugin:
This plugin will beef up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, it also hides the WordPress version and much more.
BullettProof Security Plugin:
This is a great plugin, it does automatically lots of the steps I suggested to manually do above. The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website.
Thats it, relax, your wordpress site is now secure. Remember to take backups!
If you have done the steps above we have now gone 4 layers deep protecting your wp-admin from bots, hackers or other attackers who might try to gain access. We have not just relied on plugins, but also created some very good manual security methods. Now you can relax knowing your site is up to par on security and you can enjoy blogging away. Please note that you should still take backups of your site on a regular basis. The best plugin for this I would say is the BackUpWordPress plugin, located here on the wordpress site.
If you have some to add or need help, or have comments please reply below.
To say thanks please Re-Tweet & Share this post and/or leave a comment below!
Do you have something to say?
Incoming search terms:
- best wordpress security plugin
- wordpress plugin protect wp-admin from bots
- wordpress wp-admin
- wordpress wp-admin safety