How to Secure Your WordPress Website – The Basics

In my book review WordPress 3 for Business Bloggers I told you that I missed one piece of content, which was options to secure your WordPress website, and that I would give you some tips on how to secure your WordPress website.

WordPress is a very popular Content Management System and as such is always under attack by hackers and crackers.

Most of the hack attempts are not focused on WordPress core security holes but rather plugin or theme security weaknesses.

Basics on how to Secure Your WordPress Website

WordPress security starts with the installation of your website and these steps can help:

  • choose a good web host
  • create a cryptic database and database username for your MySql database
  • create a highly secure password
  • don’t use the standard wp_ prefix for ou tables
  • don’t use the standard Admin user name but create a more difficult username and matching secure password

After installation use the permalinks option to create a .htaccess file in the root of your website.

Once the installation is done you can remove the following files:

  • wp-config-sample.php
  • readme.html (contains information on what version of WordPress you are running)
  • wp-admin/install.php
  • wp-admin/install-helper.php

Secure your files by changing the permissions on:

.htaccess to 404 (or 604)

wp-header.php tot 400 (or 600)

if possible move your wp-config.php file one folder up and set the security to 400 or 600 if your hosting (aff) company won’t allow 400.

Secure Your WordPress Website Plugin Options

There are four plugins I always install on my WordPress websites:

WordPress Firewall 2 monitors web request to your website and blocks obvious attacks.

File Monitor Plus this plugin will send you an email if a file has changed on your website and which file(s) are changed.

WP Security Scan will let you know if you already are under attack and will give you extra tips and aids to block some standard attacks.

Login Lockdown looks at login attempts that fail from a certain IP address and shuts down login functionality for a certain amount of time for that address preventing further brute force attacks.

All of the above measures have helped me to secure my WordPress websites from attacks on several occasions.

Secure Your WordPress Website

WordPress 3 Cookbook

I also got a chance to read WordPress 3 Cookbook, a fun concept that gives you “recipes” that you can use on your own WordPress website.

Here is a short overview of the chapters in this fine book:

Chapter 1: The WordPress Cook’s Tools
Chapter 2: Installing and Customizing Themes
Chapter 3: Working with Plugins and Widgets
Chapter 4: Customizing Content Display
Chapter 5: Building Interactivity and Community
Chapter 6: Implementing Online Sales and Advertising
Chapter 7: Making an SEO Friendly Site
Chapter 8: Enhancing Usability and Accessibility
Chapter 9: Managing Maintenance and Improving Security

And yes this one has a chapter on security :-) but the rest of the book is also a very good read and gives you over 100 short practical articles that you can use.

I really enjoyed reading and implementing several of the recipes on my own WordPress websites and I really suggest you take a look at the WordPress 3 Cookbook
as it has some nice pearls in it … but that said you need to be aware that you should have a code editor and FTP program. I recommend PSpad and FileZilla

Start Your Own WordPress Website

To get started you need: 3. Configure your WordPress settings and plugins and start writing...


  1. You can’t even run a spellcheck on your content and you expect people to take you seriously?

    Oh, and you should run down to the office supply store and buy a box of commas, then learn how to use them. Wait – commas are free!

    I guess you just need to learn how to use them!

    • @Bill, thank your for pointing out some of my errors and yes I do need to improve on my English writing (I am Dutch). I recently came in contact with a good editorial reviewer, who I plan to hire to clean up the site and reduce the errors. I know those errors come from my lack of English Grammar and punctuation knowledge.
      Hopefully the content provided on this site will make up for these errors.

      P.s. text is cleaned up now :-)

      • Irritated with petty people says

        Bill: Perhaps you should refine your own sentence structure and semantics before you waste time posting criticism. Perhaps also you might learn that spell check is spelled properly by writing it in two words. Perhaps you need to wash your windows in your glass house.

        Thank you Herbert-Jan for your post.

      • @Irri: In Bill’s defense, there where some pretty horrible errors in this post before, so his comments were valid, the post was edited afterwards.

What do you think?