Video How-to: 10 Tips To Make WordPress Hack-Proof



secure wordpress image

UPDATE: Sept 2013

This post has turned into a site, possibly the most complete WordPress security site ever produced.

Featuring hundreds of tutorials & forums, check it out: wpCop: Secure WordPress. Properly.

guv

Securing WordPress isn’t this easy!

Yeah, sorry to break it to you but, having spent the last couple of years immersed in the subject, writing a book and producing a site about how to secure the WordPress platform, I have to say, this old guide is far from complete.

That’s not to say it’s obsolete. Quite. The theory holds true. But that’s about it.

Best advice: skim through this, sure, but to find out about the multitude of risks to WordPress, both directly and indirectly, and the layered defence it needs, and exactly what you need to do, check out my new site wpCop.

… Really. ;)

(Guvnr, by the way, and again as of Feb 2013, has been redesigned to front as the blog for wpCop, and will soon also for my site vpsBible which helps folks set up web servers.)

With wpCop launched in February 2013 this post will no longer be maintained and, finally, I’ve closed the comments. If you have any questions about securing your site or blog, else its server or wider network, including your web development environment on local devices, connectivity and the web itself – all of which affect WordPress security – then pop by the free forums at wpCop and ask away.

Enough spiel. Ciao for now.

Having your blog hacked isn’t fun, and the standard WordPress installation is not impermeable. Not only does a hacked blog result in downtime, while you work with your ISP to track the problem and ensure it doesn’t happen again, it can also mean you spend time, for instance, getting your email client resolving properly once more. All in all, valuable time wasted.

Prevention is better than cure. Here are 10 Tips To Make WordPress Hack-Proof.

Setup Unmanaged VPS (4 Noobs!) ... with vpsBible
Secure WordPress. Properly. ... with wpCop, the platform's dedicated security website
Olly 'the_guv' Connelly's vpsBible.com site and 'WordPress 3 Ultimate Security' book.

What You Need

Before You Begin

Video: Secure, Solid, Safe .. in 10 Steps.

Watch the video for a better idea of how to do this.

Guv’s on YouTube at http://youtube.com/guvnrDOTcom.

1. Upgrade WordPress. To the latest version. If you’re using 2.7 or later, this can be done from your admin dashboard, at the click of a button, automatically. Just look for the “upgrade” button. If you’re using an earlier version, read this.

2. Update Plugins. Make sure all are upgraded to their latest versions. If they’re not, you are notified on your plugins admin page. Old versions can present a security risk.

WordPress security plugin wp-security-scan

3. Change “wp_” Database Table Prefix. I used to use wp-security-scan, from Semper Fi Web Design but I DO NOT CURRENTLY RECOMMEND IT because it throws errors with WordPress 3+. I cannot find a reliable alternative plugin but here’s a method that works every time (just be careful, don’t do this when you’ve had a beer!):-

  • i. Deactivate all WordPress plugins, as a precaution.
  • ii. Backup the database, as explained in Guvnr’s video tutorial.
  • iii. Open the downloaded *.sql file with a text editor (where * is the name of your database.)
  • iv. Find and replace all instances of your “wp_” prefix with your new prefix.
  • v. Within your WordPress database, drop all the tables. DO NOT DROP THE DATABASE itself, only the tables. wp-phpmyadmin is a great plugin to use.
  • vi. Still within your WordPress database, import your newly-amended *.sql file, the one you edited by changing the prefix. wp-phpmyadmin or similar again.
  • vii. Open and edit your wp-config.php file, in the root blog folder, changing the “$table_prefix = ‘wp_’;” to “$table_prefix = ’yourNewPrefix_’;”.
  • viii. Reactivate your plugins.

4. Delete “Admin” User. Just to make hackers work harder, bin this. Create a new user with administration rights, and give the user a nickname (for public display) that is not the same as the username. Then log out, log back in as the new user, and delete the original “admin” user.

5. Use a Stronger Password. Bit obvious, this one. Mix it up with letters, digits and special characters, upper and lower case. I use RoboForm to remember (and encrypt) my passwords, and that’s free.

6. Hide your WordPress version. From your theme’s folder, open “header.php“, search for the line…

…and delete it. It has no useful purpose.

7. Ensure WordPress Database Errors Are Turned Off. In recent WordPress versions, they are turned off by default. So upgrade.

8. Remove WP ID META Tag. Delete this tag from the WordPress core. After you activate and run wp-security-scan, this is done automatically.

9. Create an .htaccess File in “wp-admin/” Open a new text file and paste this…

… Save the file as .htaccess and upload it to your “wp-admin/” folder, ie, to http://myblog.com/wp-admin/

10. Hide Your Plugins. If you’re not sure whether they’re hidden or not, navigate to http://myblog.com/wp-content/plugins. If you see a 404 error page, they’re hidden. Otherwise, you’ll see them listed. In that case, copy the following into a new .htaccess file, adding the file to your wp-content/ folder…

Some web hosts don’t allow you to administer .htaccess files. If that’s the case, instead of using an .htaccess file to hide the list of plugins, create an index.html file. You can write something about restricted access in there, if you like. Either way, this file will prevent a plugin listing.

Now navigate to http://myblog.com/wp-content/plugins. They should be hidden.

After You’re Done

Just to be thorough, and because a few things have changed…

  • Backup your files again, using your ftp client.
  • Backup your database again, using wp-phpmyadmin.

That’s it. Your blog is more secure, and way less hackable. Go make content!

134


About the Author:

Olly Connelly (yeah, that's me) blogs at guvnr.com, polices WordPress security at wpCop.com and helps noobs build web servers at vpsBible.com, so if you've got sleeping problems you know where to come.

Discussion

  1. the_guv  February 12, 2013

    @Sudipto/Alfonzo – ta!

    @Yasir – “Is this a required thing?”

    Not required but *very important*.

    In a nutshell, using WP secret keys (salts) prevents cookie-related attacks.

    … and very easily implemented.

    @fear – tx. Yes. Watch this space. New WP security site about to launch with various security forums. Guvnr will be its blog.

  2. alfonzo  February 7, 2013

    This is the 2nd blog, of your website I really checked out.

    Although I really love this particular 1, “Video How-to:
    10 Tips To Make WordPress Hack-Proof – GUVNR” the
    very best. Cya -Rhoda

  3. fear of flying online  February 6, 2013

    Fantastic blog you have here but I was curious if you knew of any
    discussion boards that cover the same topics talked about here?

    I’d really like to be a part of online community where I can get advice from other experienced people that share the same interest. If you have any suggestions, please let me know. Appreciate it!

  4. Yasir Imran  February 3, 2013

    when I opened Wp-config file, I found there are no keys defined in it, I never did it for any of my blog, Is this a required thing? how it will protect my blog from being hacked.

  5. Sudipto  November 22, 2012

    Nice post and I really like it. At this moment I am using BPS in my WordPress and I liked the point concerned with password as strong password having numeric value, alphabetically value and symbol are also make us safe. Thanx for this post.

  6. the_guv  September 10, 2012

    M. Blimey, your comment kinda slipped thru the net, sorry for delay.

    But!

    ““Mix it up with letters, digits and special characters, upper and lower case.” is not a good way to do this. A longer password is far far better.”

    No. You need both. And if that sounds hard to remember, *just use LastPass*. And as for the length, using a decent password manager there’s no excuse not to have a 16, 20 or even 24bit (character-length) password.

    (I use 24bit on all my passwords … call me paranoid But why not?)

    … Nice cartoon though, thank you :)

  7. M  May 10, 2012

    Point 5. starts out well, more secure passwords are better, but “Mix it up with letters, digits and special characters, upper and lower case.” is not a good way to do this. A longer password is far far better.

    http://xkcd.com/936/

    Explains this much better than I can.

  8. the_guv  March 18, 2012

    @Dess. No way, buddy! Security requires a multi-faceted approach – secure local PC, secure web connection, secure web server, each with various configurations. Some plugins merely assist.

    @Sennik. Ditto above. Ie, no!

    @Pat. You can have 1 .htaccess per directory.

    @parw. Yes, buy my book, which contains hundreds of pages worth of fixes.

    … even better, wait and I’ll be launching a new edition very soon, plus a website alongside … the existing book’s already out of date – typical!

    @Prabin. Yes, and it didn’t but it does work now. (Good point … )

    UPDATE: WP SECURITY SCAN IS AGAIN WORKING FINE … it wasn’t being maintained for a long time but is again now, and provides the easiest way to change that db prefix (once the platform has already been installed)

  9. ShelleyN  March 7, 2012

    Guv, Enjoyed this post. Some of it is a bit over my head. Seems a bit technical. Never thought about hiding the WordPress Version…this is one I’ll definitely be looking in to. Thanks for sharing!

  10. Dess  February 6, 2012

    Is there no one click plugin that will secure my WP blog? I was hacked 2 times within a weeks interval. Some guy from fiverr.com helped me recover it. The second hack was probably by an Islamist fanatic because my page and all the redirect links from my domain show their message. Now if you know any 1 click secure plugin please.

  11. Sennik  November 14, 2011

    Is it possible to protect WordPress only via .htaccess file ?

  12. Pat  November 6, 2011

    I’ve got the .htaccess file with all the Begin WordPress…End WordPress stuff in it. The file is in the /public folder and when I move it to wp-admin, my site conks out, moving it back agin fixes things. Not sure how I can have the file into wp-admin without the site breaking. Is it possible to have 2 copies?
    Thanks

  13. parw  September 26, 2011

    Hi,
    I have already done everything that you suggest, but last day my blog has been hacked. I don’t know what to do ? Have u something else to suggest me.
    Thanks for reply

  14. Georgia  September 6, 2011

    Have had 2 of my WordPress sites hacked twice. Thanks for this. Never had any problems with WP installations until recently. Glad someone like you is posting walk throughs like this. very helpful. Thank you.

  15. Prabin  September 1, 2011

    Hi, does all the above security stuff work on wordpress 3.x? Some also say that the wp security scan doesn’t work properly on wp 3.x.

    Thanks

  16. Prabin  September 1, 2011

    Hi, does all the above security stuff work on wordpress 3.x?

    Thanks

  17. BDC  August 29, 2011

    Excellent info about securing WordPress. I’ve always used offense as the best defense, which for me means advocating multiple back-ups of the Database and all files/folders.
    Thank you

  18. the_guv  August 16, 2011

    @Rick … some typo most likely.

    To regain access, just remove the htaccess file using your file manager, your SFTP client or a terminal, and your site is back. Then try again :)

    @Emily … nice to hear but, frankly, this post barely scratches the surface.

    … Indeed, it took me nearly 400 pages and literally 100′s of tutorials to set out precisely how to secure WordPress:-

    http://guv.li/wpguv

    That may sound like a sales pitch for my book. Truly, in the Wild Wild West that is the dub dub dub, it’s best advice.

  19. Emily Grace  August 16, 2011

    very good post man. It is very helpful to many peoples who are searching for securing their wordpress websites.
    I have enabled all the security features which you have mentioned. I am feeling good now.
    Thanks

  20. Rick  August 12, 2011

    Not sure if anybody else has the same problem but I put ( .htaccess ) in my-admin folder and now I cant get into my dashboard or anywhere in the back end for that matter. it says page not found. ???

  21. the_guv  May 2, 2011

    @oneristy .. thank you.

    @Jon .. agreed .. and thank you.

    @all .. you may be interested in my new book, publishing by Packt in the second week of May:-

    WordPress 3.0 Ultimate Security

    I’ll blog about it soon but, essentially, it covers the A-Z of how to protect the platform, both indirectly and indirectly, so that includes local/wireless/online/WordPress-immediate/server – every known way that a WP blog can be compromised.

    Anyhow .. I’d best finish the damn thing! Just a few pages of third drafting to go plus, I guess, a dedication to the missus, bless ‘er cottons :)

    EDIT: It’s out! Be safe :) .. guv.

  22. Jon Maybrook  April 16, 2011

    Excellent info about securing WordPress. I’ve always used offense as the best defense, which for me means advocating multiple back-ups of the Database and all files/folders. Most sites get hacked because of not “locking the front and back door” and poor passwords. Nothing will stop the professional hacker, but this will keep them away from your site and force them to look for other low-hanging fruit instead! Keep up the great work!

  23. oneristy  March 21, 2011

    this is a great. i waiting for updates

  24. the_guv  November 7, 2010

    @Steve .. you may have found some poorly named and conflicting plugin variables, quiote rare I daresay .. definitely have a backup first for such cases! this method has never let me down but one day it just might :P

  25. dt  November 4, 2010

    great advice WP security scan. waiting for the updates as well.

  26. SteveW928  October 25, 2010

    @the_guv – Hi. Just wanted to note that it might be more complicated than that for some installs. I now have my blog working fine, but when combing through the DB, I noticed wp_ instances used as both references to tables, but a few also used as variable names. Doing a universal search/replace for wp_ might break variables. Note: I didn’t follow your fix method and maybe those instances belonged to specific plugins in my install, but it seems that is what you are doing in your fix. I had to pick more carefully and make some educated guesses… but certainly not something to do after a couple beers. You might need a few after though. ;o) Thanks again for the helpful blog.

  27. HDe  October 24, 2010

    I agree with Steve – notice the same – with WP Security Scan – best advice- we will all have to wait for the new update! Thanks Guvnr – for this great Support Blog.

  28. the_guv  October 24, 2010

    @Steve .. you’re right and thank you for reminding me!! WP Security Scan is not working these days. I’ve updated the post and the workaround works fine.

  29. the_guv  October 24, 2010

    cheers Jethro, appreciated and good luck

  30. the_guv  October 24, 2010

    thank you Marc, good to hear

  31. marc  October 12, 2010

    Thanks for the tutorial, great info.

  32. Jethro Solomon  September 11, 2010

    Good article. Will implement changes immediately. I recently had to fix a hacked wordpress installation of my friends…ugh!

  33. Vincent Furlong  August 23, 2010

    Im just wondering if I need to change the prefix for other php files. Since changing the prefix in the wp-config.php I’ve got an error on my sidebar widget Warning: array_key_exists() [function.array-key-exists]: The second argument should be either an array or an object in public_html/my.site/wp-includes/widgets.php on line 858
    After I checked this the functions are wp_get_sidebar etc.. Not sure if I did something wrong.
    Also, When I added a .htacess file I was no longer able to access the admin panel

    Any help on this would be great.
    Thanks

    -Vin

  34. Sharon  August 16, 2010

    I added a .htaccess file to wp-admin as described above. When I refreshed the WP security scan page it went to an error page on my blog. I deleted the content of the file (left it blank) and that works fine,but when I try to add the script as it is above it doesn’t work.

  35. SteveW928  August 12, 2010

    Thanks so much for this article, it is full of great tips.

    However, I just wanted to warn people of my experience with WP Security Scan and the DB prefix renaming. I’m running WP 3.0.1, and things didn’t go well at that point. After running, I was unable to log into my site. I’ve been able to fix that by reading related posts and editing my SQL DB (finding things it missed), but I fear there are still lots of other things it missed lurking about as some of my plugins don’t work (I’ve been able to fix a few by combing through fields where the plugins store their settings).

    I’m trying to decide whether to go forward with it or to restore at this point… but just wanted to warn people. I should have noticed that WP Security Scan hasn’t been updated since like 2008… Doh! And, if you read the support sections there, others are having the same problem. I hope this all gets updated, because it is important and seems to be an awesome plugin otherwise (it’s just out of date).

  36. Charlie Street  July 6, 2010

    Thanks for the article. I used parts of it when writing an article of a similar nature about website hackers and hosting accounts being “hacker proof”

  37. the_guv  May 30, 2010

    @Alexandria .. thank you, lovely to hear

  38. Alexandria Michel  May 30, 2010

    If only I had a greenback for every time I came here… Incredible post.

  39. the_guv  April 29, 2010

    hey jimi, that may be just with the One Click Plugin Updater, so take a look for that.

  40. jimi  April 27, 2010

    i don’t have a plugins tab on our wordpress blog dashboard…. is there something wrong here?

  41. the_guv  April 19, 2010

    @Tony .. cheers to you

  42. tony  April 9, 2010

    Great stuff man truly appreciate it!

  43. the_guv  March 3, 2010

    @Tony .. very odd, can’t say I know the reason for that, possibly a corrupt db, else back up and clean it then try again .. have you tried using wp security scan to do the job?

    and try this:-

    • backup db (say w’ phpmyadmin to a db.sql file
    • copy that file, then edit it with some editor .. find/replace all wp_ prefixes to whatever_
    • drop all db tables .. not the db tho
    • import edited db.sql
    • change prefix in your wp-config.php
    • re-activate plugins
  44. Tony Topping  March 2, 2010

    Great stuff which Ive applied successfully to two of my three wordpress sites. All of which were hacked over the past three weeks. But Ive been unable to change the wp_ prefix on the last site. I had to edit the text, which was no problem. But when I installed the back up twice WordPress immediately defaulted to reinstall and on reinstall added a new set of wp_ tables to the new tables I had created. So somehow its not recognising the newly named prefixes.

  45. HDDE  February 17, 2010

    Thanks a lots for your tips, The best blog I ‘ve seen so far! Keep up the good work!

  46. the_guv  January 26, 2010

    @Ritu .. you’re welcome, thank you

  47. Ritu  January 25, 2010

    Thanks alot for the valuable tips to protect the blog from the injection. I had injection 2 days ago. Now its cleaned and I did the same suggested by you in the post.

  48. the_guv  January 25, 2010

    @Nilimesh .. mighty kind words, Sir .. thank you.

  49. Nilimesh  January 23, 2010

    This is a best station for such kind of articles,your site is a inspiration for me.
    i got so much benefits and good results after visiting here and the grace is increasing
    day by day in your posts”
    the above information is extremly essential……

  50. the_guv  January 9, 2010

    @Edward, thank you. .. for code I use Syntax Highlighter Plus, which having explored all similar plugins I find to be the best of the bunch, for this site anyhow. Of course, I hacked the style to complement the site.

    @Danx .. thank you, Sir.

  51. danx  January 7, 2010

    I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work Look forward to reading more from you in the future.

  52. Edward Jerome  January 2, 2010

    Hi Olly

    Unless it is a trade secret, in which case I would understand, could you possibly share with me which plugin you are using to show off your code following this step

    9. Create an .htaccess File in “wp-admin/” Open a new text file and paste this…

    on this page

    http://guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/

    I really enjoyed reading your post and watching your YouTube video on the 10 tips. Thanks so much for sharing.

    Edward

  53. the_guv  September 16, 2009

    @joejonns & @Bill Bartman .. many tx

    @Bill Bennett .. sorry for delay, was on hols.

    As I understand it, wp-phpmyadmin does work with WP, up to 2.8.4, despite saying it’s compatible only up to 2.2.2.

    Seems that the developers haven’t upgraded the stylesheet yet, so it may look a bit odd, is all. When they do that, I guess they’ll update the compatibility officially.

    Alternatively, I’ve heard some good things about Adminer .. http://www.adminer.org/en/, which entails uploading a single file to your server before having a php tool very like phpmyadmin. OK, yes, I know, that’s not *quite* so handy as having a WP plugin version, as is the case with wp-phpwhatnot.

  54. Bill Bartmann  September 7, 2009

    Cool site, love the info.

  55. Bill Bennett  September 6, 2009

    I was going to work through this, but I fell at the first hurdle.

    wp-phpmyadmin is only compatible up to WordPress version 2.2.2

    I’m running 2.8.4. Is there a workaround?

  56. joejonns  September 2, 2009

    txxx – keep up the good work.

  57. the_guv  September 1, 2009

    @Debbie .. hey girl, good to hear.

    Now look everyone, don’t copy the ruddy line numbers! Top right of the code boxes there’s an option to open the plain text .. so do, then copy from there. I know, easy when you know how.

    Hey, Debbie, on your site .. beaut pic of that frog and the key. What a thing. Quite humbling.

  58. debbie T  September 1, 2009

    Hello! Thank you for this wonderful article.

    I think I might have found the answer to Brian’s problem, as I had the same issues with accessing my admin area after I created the new .htaccess file.

    Anyway, I took another look at the code in the file, and I realized I copied the text from your article, but the code had line numbers in it.

    ie: 7.# END WordPress

    I deleted all the line numbers and now it works fine! Thanks!

    Hope that helps Brian too!

  59. mugger  August 15, 2009

    I think there is still an exposure to malware, namely injection of at the bottom of root index.*, a file which even WP needs to start.

  60. FH  August 7, 2009

    Great post.. I hope my blog never gets hacked.. thanks for the info :)

  61. the_guv  July 25, 2009

    @LauraManick .. ye have little faith ;)

  62. LauraManick  July 23, 2009

    I cannot believe this will work!

  63. the_guv  July 22, 2009

    @Brian .. hmmn, could be an issue with your httpd.conf, on the server. What does that say?

  64. Brian  July 21, 2009

    After doing Step 9, my blogs got Internal Server Error 500. Deleting the .htaccess file fixed the problem. Is there something I’m missing?

    I copied that text, pasted it into Notepad++, made sure there were no extra characters at the beginning or ends of all lines, saved as a normal text file. Uploaded to the wp-admin directory, and then renamed to .htaccess

    At that point, I started getting the Internal Server Errors. When I deleted the .htaccess file from the wp-admin directory everything worked fine again.

    I had 644 permissions which is the same as the .htaccess file already in the directory above.

    Thoughts?

  65. the_guv  July 19, 2009

    @ Méldodie .. Good question. No idea ‘cos I don’t use Lighty with WP. I do use Nginx though and it’s the same deal with that .. htaccess is irrelevant, so don’t bother.

    ?? Anyone using non-Apache web servers that know of other tips ??

  66. Méldodie  July 18, 2009

    Hello,

    I join lots of thanks to all the preceeding ones.

    I’ll add a question you may find interesting, because all of my blogs aren’t using Apachee as a server, but Lighttpd, so the .htaccess there has no effect (unless I install empty ones, thus making the plugin wp-security-scan content to see there is one where it seeks for it, otherwise comes the red warnings sent by the plugin).

    Lighttpd not using .htaccess, as far as the blogs I have under this server are concerned, I followed thoses of your advices that were relevant. My question would be : is there anything else that’s relevant, that could be done or checked when using Lighty ?

    Thanks again :D

  67. john.conner  July 16, 2009

    Mostly I have Seen Only articles Its Good That you have included Video,
    I would even Like To See Some SEO Guides

  68. the_guv  July 15, 2009

    @Y094 hey, thank yo .. thank yo! .. geddit .. sorry, many thanks, Y094, appreciated.

  69. Y094  July 15, 2009

    Thanks :D

  70. the_guv  June 26, 2009

    @john – you’re welcome to embed the video, intro the piece and link to the bulk, else buy me a fine single malt whiskey and I’ll doubtless change my mind and you can have the lot. tx to you.

  71. johnstevens  June 22, 2009

    п»ї
    Hello,
    Can I put this article to my site?
    Thanks for the information

  72. the_guv  June 14, 2009

    big cheers akis – much appreciated

  73. akis  June 14, 2009

    One of the best guides to create our wordpress hack proof…Bravo!!!Thumbs up!!

  74. the_guv  May 19, 2009

    @Cris – sorry to hear that – sounds like a right nightmare you’ve had. Pleased to help and all the best with Pinche Pelicula.

  75. Cris  May 18, 2009

    I change from blogger to word press a week ago , since then i had to malware attacks. One was the famous gumblar dot cn and another that I didn’t even tried to figure out.

    So Google banned me from the listings and I’m setting up all security measures this time.

    Because I’m new at blogging, your tutorial (specially the video) was very useful.

    Thank you!

  76. the_guv  May 13, 2009

    @ArianaBels – pleased you like. Sure you can summarise and link to this post, and embed the video if you wish. Thank you for asking.

  77. ArianaBels  May 13, 2009

    Wow! Thank you! I always wanted to write in my blog something like that. Can I take part of your post to my site? Of course, I will add backlink?

  78. the_guv  May 11, 2009

    @Jessicalip – hope it helps out. thanks to you.

  79. Jessicalip  May 10, 2009

    I will leave a reply as soon as I try it Thank you

  80. the_guv  May 7, 2009

    @Sara – you’re welcome. Damn, you actually spent money on an ebook! :P

  81. Sara  May 6, 2009

    Thanks for this. I just spent $22.00 lastnight on an eBook that was probably a waste of money since the information is easily available online and less hassle with some of these wordpress plug-ins.

  82. the_guv  April 24, 2009

    @Grigoriy – you are most splendidly welcome, and a big tx :)

  83. Grigoriy  April 23, 2009

    Dear author,
    Thank you very much for these useful tips collected in one place.

  84. the_guv  April 11, 2009

    @papa & @bob
    - hey guys, tx for that. i’ve UPDATED “10. Hide Your Plugins” to reflect some problems a few folks have had, and hope that helps.

    If you’ve still got problems, pls let me know.

    @E-TARD. You’re welcome :)

  85. E-TARD  April 11, 2009

    thanks for the tips

  86. bob  April 9, 2009

    Hi Need help i made a .htaccess page and it is uploaded to the wp-admin area and it is not stopping my plug-ins from showing up.
    How can i fix this.
    Thanks

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # Prevents directory listing
    Options -Indexes
    # END WordPress

  87. papa  April 8, 2009

    Thanks very much for the tutorial, it’s been really informative for a newbie like myself.

    I’m having trouble with the .htaccess file though and I’m wondering if it relates to what Lonnie A was having trouble with? When I upload the .htaccess file to the correct directory and then refresh my security scan plugin I get an error page reading ‘Internal Server Error – The server encountered an internal error or misconfiguration and was unable to complete your request.’ and I can’t access my WP site at all unless I delete the file.

    Thanks for any help you can give!

  88. the_guv  March 24, 2009

    cheers Purosangue, lovely to hear. and you Koichi, top notch m8.

    Lonnie, big tx for that. you throw up some cracking ideas there…hmmn, i feel another tutorial coming on!

    **************************************

    UPDATE TO THIS POST: I’ve had a few interesting emails about this tutorial, with yet more ways to secure a wordpress blog. Right now I’m working on a few other things but, in a couple of weeks, I’ll update this post and the video to accomodate even more security tips.

    If you’ve got something to throw into the mix, let me know and it’ll help me to create the most comprehensive, cross-web server guide possible.

    the_guv

  89. purosangue  March 23, 2009

    great job with the video, thank you for taking the time and to post it for everyone!!

  90. Koichi Paxton  March 9, 2009

    This is an amazing resource for anyone who is trying to secure your wordpress. I learned many tips for making my WP better protected from hackers. I will now make sure that all of my plugins are well hidden so that they can’t access them.

  91. the_guv  March 8, 2009

    @Herrin – WP-Optimize I like too. Need to use it, hmmn, must do that! Secure WordPress I’ll take a look at. Big cheers, appreciate the comment. Mix away m8.
    @Lorrelle – wow, flattery indeed :) getting loved up by Lorelle. Hey, how cool is that, big cheers girl.
    @George – good to hear. mighty pleased.
    @Techno, PaulMyatt & http://planet.wordpress.org/, you have great taste in content, keep it up.
    //the_guv
    @Sarah – tx tx tx … sorry, I almost forgot you! tssh.

  92. Lonnie A  March 9, 2009

    Dear Mr Guvnr,

    Thank you so much for sharing your security blog video. I especially appreciated your tutorial on backing up a database using wp-phpmyadmin. The database is very frightening place to modify if one has no knowledge of navigating phpmyadmin.

    Just to add a little bit of information regarding .htaccess on hosting web servers that enable safe mode on php. Some of us are unable to create and use .htaccess because of their server security policies.

    Therefore here’s something that I do to get around this problem. I create a cloaked web page of an affiliate site. If the so called hacker wants to spy my wp-content/plugins directory, they will be surprised to what they will find.

    I simply upload a cloaked index.html page to hide the content of these important folders. So instead of viewing the contents of the folder they might be puzzled as to what they see. A live web site… Huh…?

    I do to same for my themes folder as well. It works well for me and this is generally what I do to hide all my download products I buy and sell online too.

    Again… thanks for your tutorial, it was very well explained and and hugely helpful.

  93. George Serradinho  March 8, 2009

    Thanks for the tips, the list will definately help us users out there.

  94. Herrin  March 4, 2009

    Thank you so much for this compact and easy to implement guide to WP security.

    I use 2 plugins that help with security that you did not mention in this article.

    The first is called WP-Optimize – allows you to delete post/page revisions, optimize the database and change the username from admin to anything you like.

    The second is called Secure wordpress and it does some of the things that you mention above. Probably good for clients etc.

    Thanks again and hope this adds something useful to the mix.

    regards

    Herrin

  95. http://grautiger.wordpress.com/2009/03/10/datensicherung-fur-wp-blogs/  March 3, 2009

    [...] Wenn ich das mal habe *augenroll* wird DAS hier wohl mal Thema: Blog ein wenig gegen Hacks absichern: http://guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/ [...]

  96. RAzik  March 3, 2009

    In the tip # 10, u told it will show “404 error page”.

    But i think if you disabled directory it will show “403 error page”.

  97. JC de Villa  March 3, 2009

    I read your post, and found item 9 interesting (.htaccess) and its location. You should really put it in your blog root directory (or even your site root), so that indexes wont be visible… I suggest you look at your own directories for indexes, because some are a bit more exposed than they should.

  98. Sarah  March 3, 2009

    Excellent tutorial. Blog security is one of the main concerns every blogger should know.

  1. Hack-Proofing Wordpress Site | Estudyante  November 24, 2011
  2. WordPress 3 Ultimate Security - Maui WP  July 2, 2011
  3. WordPress 3 Ultimate Security | Digital Splash Media  July 2, 2011
  4. “WordPress 3 Ultimate SECURITY”: My Hack-Proof Book’s OUT! - vpsBible  June 23, 2011
  5. 10 Tips de seguridad para WordPress - Alberto Rodriguez Molina  March 2, 2011
  6. I feel violated. {hackers suck} | Riding With No Hands  August 15, 2010
  7. Ma e vero che Aruba e’ un “colabrodo”? « Utilitypc  April 2, 2010
  8. Old WordPress Versions Under Attack | Son Of Byte - Web Design & Development  March 2, 2010
  9. Install/Upgrade WORDPRESS with SUBVERSION: VPS BIBLE - vpsBible  February 10, 2010
  10. UPDATE: How-to Install/Upgrade Nginx to 0.7.62 - VPS Bible - GUVNR  November 25, 2009
  11. The 5 Minute Wordpress Security Audit « Tips from Idea15 Web Design  November 23, 2009
  12. Install/Upgrade WORDPRESS with SUBVERSION - VPS Bible #15 - GUVNR  November 7, 2009
  13. tomorrowland.com » tomorrowland virus killed  October 16, 2009
  14. Sorry for the Recent Downtime  October 14, 2009
  15. NamrouD | Upgrade Your Mind ! » 30 Incredibly Useful WordPress Hacks  October 6, 2009
  16. 30 Incredibly Useful WordPress Hacks | Tutorial9  September 24, 2009
  17. Defeating the Wordpress attacks « Tips from Idea15 Web Design  September 8, 2009
  18. Old WordPress Versions (prior to 2.8.4) Under Attack :: HTML Websites, Web Design, Splash Pages, Blog Headers, Wordpress Blogs, Blog Sites  September 6, 2009
  19. 10 Tips To Make WordPress Hack-Proof. The Ultimate Guide. – GUVNR | WpMash - WordPress News  September 5, 2009
  20. Oude WordPress installaties worden aangevallen : WordPress Dimensie  September 5, 2009
  21. ALERT: Old WordPress Blogs Under Attack | Zemalf  September 5, 2009
  22. Old WordPress Versions Under Attack « Lorelle on WordPress  September 5, 2009
  23. 4 security links: Why you better secure your blog | STL Social Media Guy  August 24, 2009
  24. 10 Tips To Make WordPress Hack-Proof. The Ultimate Guide. – GUVNR  August 8, 2009
  25. Protect your wordpress blog from hackers, secure your website | Hen Design Studio  July 20, 2009
  26. 10 tips för att säkra din WordPress installation |  June 29, 2009
  27. Deep Jive Interests » Security Updates-a-Plenty  June 14, 2009
  28. Forbedre sikkerheden i WordPress - Hack-Proof « Tech.BusinessClass.dk  June 13, 2009
  29. Sicherheit von WordPress verbessern | Webseiten-Infos.de  May 23, 2009
  30. Sicurezza Wordpress: 10 passi per renderlo a prova di Hacker | MarinoMichele.it  April 30, 2009
  31. Dispelled.ca » links for 2009-03-14  March 14, 2009
  32. Risorse per migliorare la sicurezza di WordPress | Bloggare  March 9, 2009
  33. [Wordpress] 10 Steps to a Secure WordPress Installation | Technofriends  March 8, 2009
  34. Firewalling and Hack Proofing Your WordPress Blog « Lorelle on WordPress  March 8, 2009
  35. [Video] Ten Steps to Secure WordPress | PAULMYATT.COM  March 6, 2009
  36. LunarPages suspended.page  February 26, 2009