WordPress Security is a *HOT* topic and many, including myself have suffered from a blog been destroyed by some dumb script kiddie who managed to get his hands on script that exploits some vulnerability.

Protecting your blog from idiots like that is a MUST but to be quite honest absolute security simply doesn’t exist and we have to make a choice between usability and security and do our best to find that Practical WordPress Security Balance!


In this post I will discuss 5 steps you should take to ensure that balance and achieve Practical WordPress Security you can live with!

And since PRACTICAL side of the implementation plays here a huge role – many of the measures here are optional although recommended! Sometimes it can be easier to restore from backup than IF your blog get hacked than deal with complexities associated with the integrated security!

So, you decide what fits your needs and I simply share what I know work!

Step 1: Backup Your Blog

Understand one thing – been hacked is not a matter of IF but unfortunately WHEN. Once your blog gains popularity number of attacks will increase and one of the attackers just might get lucky!

Backup is your last line of defense but you have to be absolutely sure you have it before you need it!

  • WordPress Database Backup is a plugin I use and install for all my customers due to its simplicity and great functionality that allows you to simply schedule all backups to be emailed to your address, like gmail!

I like to keep about 2 weeks worth of backups just in case but you can obviously keep less although with huge amount of space gmail provides, there is no reason to!

Plugin above takes care of your database which stores most of your information but don’t forget to d a complete backup of the most important files within your blog structure. I would backup at the very minimum wp-content folder and wp-config.php with .htaccess files.

Step 2: Keep You Blog Up To Date

In fact I should have probably put this as Number 1 task because most of the hacked blogs I have seen were due to failure of the owner to upgrade it in time! Reason behind that failure could be many but in the end they all lead to same sad results – your blog is all screwed up by some idiot who managed to get access to a script that does it for him!

Yep, many of the exploits are completely automated via scripts once a vulnerability is discovered!

Considering that now you have an option to update your Core WordPress blog and plugins with a single click of a button – it is something that should become your duty to check and ensure you are running latest version as security issues can be introduced not just with core but also with plugins you have added to enhance functionality!

Also don’t forget to periodically check a site of your theme developer in case any security fixes released! Theme files are also PHP code and can be exploited! I personally prefer using more reputable coders/designers who write code secure from the get go!

Step 3: Secure You Current WordPress Blog

This especially applies to you IF you have used Fantastico installation for the WordPress blog! By default Fantastico creates an easily guessable variable used very commonly by scripts to attempt SQL injections. I have previously written about it in WordPress Security post that has become slightly outdated and this guide replaces it but still explains many of my reasoning’s!

Several plugins come to your rescue in securing blog and you can simply chose which, if any appeal to you:

  • WP Security Scan does a great job at identifying issues and helping you remediate them, educating in process. Consider this plugin your new friend and it has some great features in plans to even more assist you in providing secure installation! And if you didn’t use a secure enough admin password yet – it will let you know! I like that it gives you ability change database prefix and admin username – but please be sure to visit plugin author’s page as some people report issues with those options!

Protecting your wp-admin directory or at least securing the admin login provided by next few plugins and you can choose once again if any of them appropriate for you.

  • AskApache Password Protect plugin is a lot more that login protection. I would call it nothing less then security suite and version 4.7 (unreleased yet) promises even more protection. Just be sure to visit plugin home page to get the latest scoop before you decide to use it!
  • Stealth Login plugin helps you hide well known login url to your blog and not only save yourself the trouble of avoiding brute force attacks but also create an easy to remember login url. Because it uses URL re-write be sure it will not conflict with any existing plugins you might have that do same functions.
  • Semisecure Login Reimagined plugin goes deeper into securing your login via RSA encryption and can be quite useful if you need to login to your blog from public places to protect your password been transmitted in clear text and caught by network sniffers.
  • User Locker plugin is last on the list and also one of my favorite as it simply allows you to specify after how many invalid login attempts to lock account. This effectively helps you fight the brute force password hack! Great option when used in combination with secure password. But do beware that it means you blog loging might have to be changed just because someone got upset with you and typed admin password incorrectly few times! Best way to avoid that scenario is to change admin username to something else and than use alias for publishing your posts!

There are many more plugins that will help you make your blog more secure but my goal is to achieve a Practical Level Of Security!

Step 4: Monitor Your Blog Security

There are couple ways to exploit your blog:

  1. Modify your blog databse via SQL injection or by gaining full control over it
  2. By accessing file structure of your blog and doing damage through the files

If you are doing database backup and protecting your administrative access properly you should do quite well in defending from number 1 as long as you also updated frequently!

But second one can be a big problem still! I have had one of my blogs hacked because someone has gained access to a hosting account and was able to traverse through file structure and modify it at will. Worse yet, I have a very stong suspicion backed by examination of my Apache access and error logs that attacker hacked someone else’s account on same shared host where my site was located and gained access to my blog.

So how do you defend against that, right?!

Actually quite easily using a plugin I will introduce next:

  • WordPress File Monitor by a fellow Virginian Matt Walters does a job quite nicely! It functions like a “tripwire” intrusion detention system by monitoring your files for changes and notifying you about them in real time (WordPress admin dashboard) and via email.

Plugin has several options to configure most important being…

  1. How you will monitor? – I recommend by file date as it is less process intensive on your server, although less secure
  2. How Often to scan? – I specified 1 hour simply because it is about as real time as I want to get. Most of the fixes of the hack involve cleaning the files, usually by restoring and securing the entry point. Knowing which files were modified will make this job a lot simpler!
  3. Exclusion Rules – Extremely important to exclude files that are frequently changing on your blog, such as cached files from wp-super-cache plugin and any others that store frequently changed dynamic files on in your WordPress directory structure. Author has good instructions how to define it and using his default guidelines I was able to get a nice report after couple tries.

And once you setup the plugin – you can enjoy a piece of mind that comes with semi-secure installation of WordPress blog. Right?


Step 5: Test Your WordPress Blog Security

Hey, we have gone this far, no reason tostop now! Lets do the final step and test just how well did we do our work!

  • WP Scanner is a plugin and service at same time that uses plugin to validate that you are scanning your own blog and then use a web interface to test your blog security!

Obviously optional to do but you might be surprised what you will discover! So go ahead and do it! Now!


Still reading? Great because right about now you should feel good about yourself as you have just accomplished a monumental task – you created a WordPress installation more secure then 99.9% of the blogs in existence while retaining Practical Accessibility!

And I think you deserve a bonus tip!

Bonus Tip: Maintain Your Blog

A phrase I heard somewhere “cleanliness is next to godliness” very much applies to your blog as it will run a heck of a lot better if you maintain it nice and clean and database optimized.

  • WP-Optimize plugin will help you do that! It allows you to remove post revisions, comments in the spam queue, un-approved comments within few clicks. Additionally you can rename any username to another username too.

Now you deserve to rest!

If you do even half of the things I have specified above (and I don’t expect you to do them all) you will achieve that Practical WordPress Security level we strive for in 5 simple steps.