Step-by-step Guide to Securing WordPress from Malware and Hacking

Step-by-step Guide to Securing WordPress from Malware and Hacking

Lucid Agency develops countless websites utilizing the WordPress Content Management System (CMS) each year. WordPress is definitely a great CMS. It’s fast to install, easy to customize, is infinitely scalable for numerous applications, has thousands of plugins for almost anything you can imagine and it has a simple user interface which our clients love. However, like most great things, it too has some short-comings. One of these is security. Because there are millions of installations and WordPress is the most widely used content management system on the internet, powering over 75 million websites (roughly 25% of the websites online) and as such, it is often a target for hacking and malicious malware distribution.

Of course, nothing is ever totally secure, as the CIA found out when its website was hacked. But if you take the proper precautions, WordPress can be made much more secure, to a level where an intrusion is very unlikely, and any malicious incident will be highly isolated, with much easier remediation.

Lucid Agency has put together an internal list that we use as a basic guideline for a “more secure WordPress” installation. We have decided to share this list, so that others don’t have to spend as much time researching and evaluating as many different security tactics as we have. Please feel free to share this list, and if you have questions, you can ask them in the comments below or contact us.

Please note: this list is not intended to be fully comprehensive, and there are other security procedures that we implement as well, however this is a great starting place and will help make any WordPress installation more secure. With that said, enjoy:

  1. Apply the official WordPress hardening approach
    1. Don’t have a user named “admin” in the system. All admin users should have a custom user name.
    2. Make sure permissions are set to 644 for all files and 755 for all directories.
    3. Only use SFTP (not standard FTP) so that all files uploads are encrypted.
    4. Use strong passwords with a mix of numbers, letters and symbols. WordPress will measure the strength of your password, so make sure you see the “green” and have a strong password.
    5. All websites on a single or shared hosting environment should be on a unique user account (prevents cross-contamination if one site gets infected with something nasty).
    6. Move wp-config.php up one level on your hosting environment (WordPress will look for it in either location, but it must either be in root WordPress install location or up one level from the root WordPress install). It is more secure to have it up one level from WordPress.
    7. Secure wp-config.php by copying the code below into the VERY TOP of the .htaccess file:
      <files wp-config.php>
      order allow,deny
      deny from all
    8. Secure wp-includes. Copy the code below into your htaccess file.
      # Block the include-only files.
      RewriteEngine On
      RewriteBase /
      RewriteRule ^wp-admin/includes/ - [F,L]
      RewriteRule !^wp-includes/ - [S=3]
      RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
      RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
      RewriteRule ^wp-includes/theme-compat/ - [F,L]
      # BEGIN WordPress
  2. Install security “secret key” to wp-config.php file
    • Go to  to have a set of randomly generated secret key generated. Copy the 4 secret keys to your wp-config.php file underneath the “define(‘DB_HOST’…” line and then save and re-upload the file. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.
  3. Install a WordPress firewall and security plugin

WANT EVEN HIGHER SECURITY? Here are a couple additional tactics you can utilize:

  1. .htaccess lockdown
    • You can lock down your wp-admin directory by placing some code in your .htaccess file. You will specify a list of IP addresses that will have access to this area. If a user from an IP address that is not on this list tries to access this area, they will be denied access. Simple copy the code below into your .htaccess file and replace the with your allowed IP addresses. Two Notes: sometimes ISP’s use dynamic IP addresses that change from time to time, so you could easily lock yourself out. If this happens, simply go back into the .htaccess file and edit the IP addresses to include your new one. You can include a full list of IP addresses to grant access to.
      AuthUserFile /dev/null
      AuthGroupFile /dev/null
      AuthName "Access Control"
      AuthType Basic
      order deny,allow
      deny from all
      #IP address to Whitelist
      allow from
  2. Change the WordPress table prefix
    • The WordPress table prefix is wp_ by default. You can change this before you install WordPress for extra security, by changing the $table_prefix value in your wp-config.php file.
  3. Prevent directories from being available for browsing
    • By default most directories are available for browsing in most browsers. You want to lock this down, and it’s simple. Just add this to the wp-config file:
    • Options All -Indexes
  4. Restrict file access to the wp-content directory
    • This is the directory that houses most of your themes, plugins and other content files. WordPress doesnt access these files via http, so you can restrict this directory so that it only allows access to the usable file types including jpg, gif, png, js and css. To do this, add this to your .htaccess file:
    • Order Allow,Deny
      Deny from all
      <files  ?.(jpg|gif|png|js|css)$? ~>
      	Allow from all
  5. Hide the WordPress version ID in your header
    • If you tried to simply delete the version number in your header file, you may find that WordPress has added it automatically to certain places. That’s a pain. So what you’ll need to do is add the following line to your functions.php file in the theme directory. (If your theme doesn’t have this file, just create a new php file of this name and add the code below).
    • <?php remove_action('wp_head', 'wp_generator'); ?>
Scott Kaufmann
[email protected]

Scott is Partner at Lucid Agency and a lover of all things technology, marketing, investing and entrepreneurship. Scott volunteers on the board of the Denver-based Nonprofit Celebrate EDU and as a mentor for SeedSpot (a Phoenix-based social startup incubator).

No Comments

Sorry, the comment form is closed at this time.