Steps to make your WordPress site more secure

Here’s a bunch of pointers that I gathered from various sources and use myself for each WordPress site I create.  It’s assumed you have a decent understanding of web servers, FTP clients, and IP addresses.

Ya never know when you might write a post that pisses off some random hacker in Czechoslovakia who decides to delete all your work or just post naked pictures of himself to scare your visitors.  Better safe than sorry, right? 😉

  1. secretkeysAdd Secret Keys to your wp-config.php file
    • Go to this site –
    • FTP to the root of your WordPress installation (ie.
    • Copy and past the 4 rows into your wp-config.php file (anywhere should be fine)
    • Upload the updated file back to your web server
    • You may need to log out and back into WordPress for the keys to get picked up
  2. Delete the Admin accountdeleteuser
    • Backup your database (always a good idea when making drastic changes like this)
    • Create a new user with Admin privileges
    • Login to the new user account
    • Delete the “Admin” account (I would recommend checking the “Attribute all posts and links to…” radio button)
  3. Protect your “plugins” directoryplugins
    • FTP to your WordPress installation root/wp-content/plugins folder
    • Upload an empty file called index.html (you can create it in Notepad)
    • This makes it so that people can’t browse your plugins directory and possibly figure out how to exploit certain plugins you have installed
  4. Secure your “wp-admin” directory
    • htaccess1FTP to your WordPress installation root/wp-admin folder
    • Upload an .htaccess file (if you can’t create the file on your Windows PC, you can upload another empty file, like bla.txt and rename it on your web server)
    • Make the contents look something like this –>
    • Of course the IP address must be replaced with your actual IP.  If you aren’t sure what it is you can go to
  5. Hide your version of WordPress
    • In the WP admin panel, go to Appearance > Editor
    • Open the header.php file
    • Browse for something like this and delete it:   <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
    • Save your changes
    • This prevents a would-be hacker from targeting your specific WP version for attacks

2 comments for “Steps to make your WordPress site more secure

    Comments are closed.