WordPress Security - Barbed Wire Fence

Locking Down WordPress

Posted on


Let me start here by saying that WordPress security is quite good. The constant development and open source nature of the software means that security flaws are usually found and addressed very quickly. However, there are a few actions you can take to step up the security of a WordPress site. And just like with other software, the most likely point of failure isn’t a bug or the server, but the user. The following tips will help you avoid common security mistakes, and lock down some loose hatches of a standard WordPress Installation.

Usernames and Passwords

A common way that hackers gain access to a WordPress site is by guessing your password. Well technically, they use what’s called a brute force attack to guess millions of passwords in a short amount of time.

Most people are their own worst enemy when it comes to online security. You are miles ahead of the pack if you avoid common usernames and passwords. That may seem obvious, but I’ll let my friend Dark Helmet comment:

Some usernames to avoid:

  • Admin
  • Administrator
  • User
  • Temp
  • Temporary
  • Editor
  • Author

And when it comes to passwords, the longer the better. It doesn’t necessarily have to be full of special characters and numbers either. A long sentence, even if it is a regular sentence of regular words is more secure than a short password with special characters.

2 Factor Authentication

2 Factor Authentication means that you need two things to log on. In most cases this is a password and a device, such as your smart phone. This is subtly different from 2 Step Authentication which could simply require two passwords. There are a few ways to set this up for WordPress involving different plugins and services. See below for a link to the various plugins.

They all end up with the same result though. A new field will be added to your log in screen, and you will need a secondary code to log in.

List of 2 Factor Authentication Plugins for WordPress



A strong username/password combination and 2 factor authentication will likely defeat a brute force attack, but it won’t stop them from trying, and using up resources on your server and website. Locking out users after a set number of failed log in attempts will stop the drain on resources by preventing blocked users from accessing the site.

Some installations of WordPress will have this option bundled in, but once again, there are many plugins to choose from to add this feature to your site:


Turn Off Editor

This tip and the next one have the potential to mess up your site badly. Use caution and back up the files in question before attempting these alterations to your site’s code. Maybe even get an adult to help you!

Should someone gain access to the back end of your site, they could put malicious code into your site with the theme and plug in editor. This is a bit of an odd feature for WordPress. I expect that just about anyone who knows what they are doing with that editor has the tools to do the job without it. So let’s turn it off shall we?

Open up the wp-config.php file and past this one line at the end of the file:

define( 'DISALLOW_FILE_EDIT', true );

Now, the editor is no longer accessible in the Customize menu.


The wp-config.php file holds a lot of sensitive information. By necessity, the user name and password for the database that WordPress connects to is hard coded into that file. So you do not want anyone being able to read it. You can use the .htaccess file to redirect traffic that requests that file. Put the following snippet in the .htaccess file above the # Begin WordPress comment.

<files wp-config.php>

order allow,deny

deny from all


You can also direct traffic away from the includes folder. This is where plugins and add ons are stored.

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]


General Security Practices

These tips will go a long way toward keeping your site secure, and you can take care of all of it in about half an hour. In addition, you should practice good security habits that aren’t necessarily WordPress related:

  • Be cautious when using public wifi. If you need to enter passwords, use a VPN or other proxy to protect from a Man-In-The-Middle attack.
  • Don’t plug any USB device you don’t trust into your computer.
  • Change your passwords occasionally, and don’t use the same password for multiple accounts. Consider a password manager to keep track of them.
  • Be vigilant in your inbox. Don’t click on suspicious links or attachments.
  • Make sure your home wifi is password protected and encrypted.

Further Reading

Even though this article was awesome (if I do say so!), there’s no better source than the WordPress Codex.