five important tips to secure your wordpress blog

One of the utmost concerns among those of us running web applications on the web that are always available should be security. Whether or not you have personal data in your blog is immaterial. A compromised site can be used as a jumping off point for many other types of malicious behavior. Very few hackers will overlook a free lunch no matter how insignificant you may feel like your blog might be. An easy target is an easy target and although your site might be obscure, like anything else on the web, that isn’t protection against intrusion. Proactive security is the only thing that will keep your content safe. This becomes especially important if you’re using WordPress for commercial purposes as a hacked site that generates a lot of spam or otherwise hostile activity is going to be delisted from the major search engines and possibly included on spam blacklists. Here a are a few tips for getting started and some plugins that can help ease the burden a little.

1. Keep your version of WordPress current. Whenever you see the notification that there is a new version of WordPress available it is your best interest to download and install it. Keeping your software current is a minimum requirement for security. Unlike most other things in life, software does not age gracefully and you can save yourself a lot of hassle by staying current with releases. WordPress Instant Upgrade can help out with that if you’ve not done large numbers of modifications of the original files. You can find out which version of WordPress you’re currently using by looking near the bottom of your admin page. It should say something like Version 2.x.x on the bottom most line. If it says something like Version 1.x then you need to take action immediately.

2. Make backups. Whether you do this manually with an FTP client and the output of PHPMyAdmin for database tables or with an automated solution like the WP-DB-Backup plugin. Try to do them weekly if possible and keep a copy on your computer if possible. The WP-DB-Backup plugin gives the option to do both of those as well as deliver the backups to an email address. Offsite is always best but your home or work computer is better than no backup at all. You could always grab a Gmail address specifically for this plugin which shouldn’t give you trouble with capacity given the large quotas that Gmail gives us to work with.

3. Work with robots.txt and .htacess to limit access. Familiarity with the Robots Exclusion Standard is a worthy investment in any case as it allows you to specify which areas of your web server robots are allowed to index. It is never a bad idea to include a directive like the one below:

Disallow: /wp-*

in your robots.txt to keep search engines from indexing WordPress files as part of their normal activity as it is useless for any real use and a potential security hole as well.

.htaccess (note the period at the beginning of the word that makes it an invisible file in a Linux/Unix environment) is a more direct tool (robots.txt effectiveness depends on the robot’s respect of the Robot Exclusion Standard which is the case for the larger search engines but not for all crawlers) that uses methods built in to the Apache web server to control access to content in web directories. The most effective use of .htaccess for WordPress is to place (credit here is due to Wincent for this particular tip) a filematch statement in the .htaccess file of the highest level where your WordPress files are located. which renders the wp-config file that contains your username and password for the database unreadable. This should normally be the case but this is just an additional layer of security between your and your would-be attackers.

4. Login Lockdown is a plugin developed to limit the effectiveness of brute force password attacks on the login script for WP. It tracks IP addresses and will disallow additional attempts from that address after a set number of failed login attempts. The lock remains in place for the amount of time you’ve specified. This is not by any means a bulletproof solution but will discourage those trying to bludgeon their way in by making them wait long periods between attempts.

5. Change your password frequently. This is more common sense than anything else but you should rotate your passwords periodically and use strong passwords to begin with. Don’t use any part of your domain name as part of the password and don’t forget to reset the admin password that your WordPress created when it was first installed.

Please follow and like us:
About shk

shk is a DevOps engineer with more than 12 years of experience in different organizations. He enthusiastic about learning new technologies and shares his knowledge through his blogs.


  1. Hi !.
    very nicee

  2. I found your site on the net and read a some of your posts. Keep up the good work. Look forward to read more from you in the future.If interested in link exchange please contact me.

  3. I found your blog recently and have been visiting it . I think your way of thinking is good. keep up the good work. If interested in link exchange please contact me.

  4. warm-hearted answers i like it

  5. Some times happens that people need to know close to this post and in such situation it is good to have the help at the good term paper writing service and buy an essay there only.

Comment Policy:

Your words are your own, so be nice and helpful if you can. Please, only use your real name, not your business name or keywords. Using business name or keywords instead of your real name will lead to the comment being deleted. Anonymous commenting is not allowed either. Limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.

Tell us what you're thinking...

All comments are moderated.

* Denotes required field.



Previous Post:
Next Post: