How to Secure Your WordPress Installation

By: | Updated: October 8, 2015

Our website is supported by our users. We sometimes earn affiliate links when you click through the affiliate links on our website.

As your site gets more popular, it becomes an attractive target for hackers, bots, and spammers looking for a way to compromise your installation. When starting out, security might not be at the top of your mind. You’re more concerned about how the site looks and whether it is loading quickly or not. But I can assure you, all it takes is one bad incident for you to learn the importance of good security. It might not take the form of a catastrophic crash him a but could instead manifest itself as sporadic disruptions of service with your database being unavailable for long periods of time. Fortunately, there are a few quick ways to secure your WordPress installation and cut down on malicious attacks dramatically.

WordPress Installation


Here are a few easy tip to go about it:



Disable Directory Browsing


WordPress is such a popular platform that its directory structure is well known. Everyone is aware that important folders like wp-content, wp-includes etc reside in the root directory and that sensitive files lie within. A feature known as “directory browsing” allows users to access your files and folders using the browser much like you do on your PC at home. Needless to say, this is a security risk as you don’t want others to know the internals of how you have configured your site, what plug-ins you’ve installed, and what themes you’re using.


To fix this, you need to be able to edit your .htaccess file. It’s usually found in the root directory of your web host and can be used to control access to various parts of your website and rewrite URLs. It’s very important to remember to take a backup of this file before making any changes to it since messing up can render your site inaccessible. By default, WordPress has just a few .htaccess instructions that we can build upon. For example, in order to disable directory browsing, simply add these two lines of code below the existing ones:


# Don't allow others to browse your directories
Options All -Indexes


Lines starting with a “#” are comments and they allow us to keep track of the changes we make. The simple one line command accomplishes what we want.


Protecting wp-config.php


Your wp-config.php file contains very sensitive information that no one should be allowed to touch. It has your database username and password so that WordPress itself can access it. If it gets into the wrong hands, you’re screwed since anyone can then locate your backend and do whatever they want to your blog. Protecting wp-config.php should be one of your first priorities when hardening WordPress. To do this, open up your .htaccess filed once again and add the following lines to the bottom:


# Protect wp-config

order allow,deny
deny from all


Even if you don’t understand the language, it’s pretty easy to see that this piece of code denies access to wp-config.php from all sources. It only needs to be accessed internally by your WordPress Installation and perhaps by FTP on your end. No one else should be able to touch it. Your final .htaccess file with the above two changes should look like this:


# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

# Don't allow others to browse your directories
Options All -Indexes

# Protect wp-config or

order allow,deny
deny from all


Renaming your Login and Admin Pages


I found that one of the biggest impacts on site performance comes from bots targeting your login and admin pages seeking to crack the username/password combination. Even if they don’t succeed, you’re still being hit with potentially thousands of requests to these pages.


A simple way to fix this and prevent your resources from being used up is to rename them to something else. I personally find that using a plug-in to get this job done is better than modifying .htaccess files. One of my favorites is Better WP Security – a free plug-in that does a lot more than just renaming these two critical points of entry. Using it, you can make several more changes to harden your WordPress installation and keep it secure from hackers and bots.


Security should constantly be at the back of your mind. Regularly updating WordPress (or allowing it to update itself) and keeping in touch with the latest vulnerabilities on the web is important if you want to keep your site safe.


Leave a Comment