WordPress Security: Protecting your Website from Attacks

With a wide selection of themes and plugins, combined with its easy-to-use and powerful features, WordPress is an excellent tool to build your business website from the ground up.

With more than half of most business and personal websites running on WordPress, WordPress has become a victim of its own success, with many hacking attempts targeted solely at WordPress sites.

Therefore, to keep your business website safe from harm, you need to start taking security measures.

Making your WordPress website safe and secure is a rather massive undertaking, but I’ve divided it up into several smaller steps which should help smoothen the entire process.

Part 1: Securing Your Server

Securing your WordPress website isn’t just a matter of installing the right plugins or choosing a complex password, but there are a few things that need to be done on the server as well.

Sadly enough, most WordPress users tend to forget (or simply do not know) that hacking can easily be caused by an insecurely configured hosting environment.

The following methods in this section may look intimidating if you’re not a programmer, but you can just copy and paste the lines of code, and you’ll make your server much more secured.

File Permissions

While most WordPress site operators don’t pay much attention to file permissions, if configured correctly, they do tend to improve the overall security of your WordPress website significantly.

Like Linux, every file and directory in WordPress have their own permissions. These permissions decide what a website can do with them, inform the same to the web server.

To be able to set up your file permissions correctly, first, you’ll need some basic understanding of how file permissions on Linux work.

File permissions in Linux are divided into 3 actions and 3 groups. The can be shown in Symbolic notation or Octal notation.

The symbolic notation makes use of letters, while the octal notation indicates rights via numbers.

When setting file permissions, these are the following actions you can set:

  • Read (indicated by “r” or octal notation “4”)
  • Write (indicated by “w” or octal notation “2”)
  • Execute (indicated by “x” or octal notation “1”)
  • No rights to any action (indicated by “-” or “0”)

A file could have “rwx” rights, indicating the specific group can read, write and execute the file. In the octal notation, these specific rights would be indicated by

“7”, being 1+2+4 (or: execute + write + read).

Permission groups consist of the following types:

  • Owner rights
  • Group member rights
  • User rights

Every file falls under one of the 3 groups, each of these groups will have rights assigned to them. Every group will separately need to have declared if they can read, write and/ or execute.

Because of this, you’ll see three numbers in the octal notation, or 3 sets of letters in the symbolic notation.


Symbolic notation:

rwx rwx rwx : this indicates that every group has read, write and execute permissions.

Octal notation:

777: this indicates the same permissions as the symbolic notation above. Every group gets assigned one number indicating its permissions.

7 = 4+2+1 (read/write/execute)

6 = 4+2 (read/write)

5 = 4+1 (read/execute)

4 = 4 (read)

3 = 2+1 (write/execute)

2 = 2 (write) 1 = 1 (execute)

Let’s look at an example to help you understand: Let’s say we have an index.php on our web server.

Ideally, in WordPress, we’d have read and write permissions for the owner, while everybody else would only have read permissions.

The file permissions for our index.php file would then have to look like this:

Index.php rw-r–r– or 644 in the octal notation

The first 3 letters (rw-) indicate that the file owner has permission to read and write the file, while the group members (second set of 3 letters) and the users (last set of 3 letters) only have permission to read the file.

The octal notation tells us exactly the same, as the first number indicates the rights of the owner:

4 (read) + 2 (write)= 6

The other 2 groups have reading rights, so they both get assigned the number 4.

To ensure your WordPress install is set up securely, This is how you should set your permissions:

– folders: 755 or rwxr-xr-x

– files: 644 or rw-r–r—

– wp-config.php-file: 600 or rw——-

PHP settings

WordPress is written using PHP code.

This means some settings in PHP should be taken into account when looking into your entire WordPress security configuration.

In PHP there are several settings that, if configured in a certain way, pose serious security issues. To consult your PHP configuration, you’ll need to check the php.ini file of your web server.

there is a subfolder “php” or “php5” present in the “etc”-folder.

In some cases (for example when you’re using a shared hosting account), it is possible that the PHP settings will be incorporated in some sort of control panel.

In case you have no direct access to your php.ini file you should try to check with your hosting providers support desk to verify how to implement the configuration suggested in this article.


The allow_url_fopen setting should be set to “off”.

However, there are some content management systems and plugins that require this setting to be set to “on”, which is a pretty bad idea.

Here’s the reason why. Allow_url_fopen provides a way to access remote files, which something like Joomla, for example, will use in their updating process.

The risk you are creating by turning this on is that hackers might use it to hack your website via URL-injection, which should be avoided at any cost.

This means that a hacker can add any kind of instruction to a specific URL, resulting in the possibility to run any script or command.

You should avoid anything requiring this setting, or enable it before running the action that requires this setting and quickly disabling it after that.

Default Files

Each server has a certain number of default files in its configuration that will be executed if present. The most common ones are:

    • htm
    • html
    • php

Of course, this list isn’t complete, as some servers will also support certain other filenames, like:

    • htm
    • html
    • htm
    • html

These filenames that will be recognized as “default pages” are declared in the config of the web server.

In most cases, this will be an Apache web server. Within its configuration, you find these pagenames declared in the DirectoryIndex setting.

It might look something like this:

    • DirectoryIndex index.html
    • htm index.php
    • html

But when no such file is present, in most cases, the server will provide the visitor with a view of the contents of the current directory.

As you might notice, all files in this specific folder are now visible to the public.

Of course, this should be avoided at any cost. You can do this by simply providing a blank index.html file in the directory. You could also do this by tweaking your .htaccess file.

Tweaking your .htaccess file

Htaccess stands for HyperText Access. This is the file that holds the configuration tweaks on a directory level.

This means that you can declare rules in this .htaccess file that will be applied to the directory that it’s being placed in, as well as on all subdirectories.

When using WordPress, you’ll probably already have a .htaccess file in the root folder of your website.

This is because WordPress uses this file to configure permalinks (if you’ve chosen another configuration then the default permalink configuration).

But by adding several rules to this file, you’ll be able to strengthen your WordPress security further.

Limiting access based on the IP address

If you happen to have the luxury of having an internet connection with a fixed IP address, you can use this to your advantage.

It allows you to configure the .htaccess file in so that you can limit the access to your WordPress backend to a fixed IP address.

For example, let’s say your IP would be In this example you’d have to add the following lines to your .htaccess file in the root directory of your WordPress installation:

Order deny, allow

Deny from all

Allow from

But note that this won’t cover the wp-admin folder, so you’ll need to put a .htaccess file in the wp-admin containing following rules:

Deny from all

Allow from

By adding these last configuration, you’ll have secured your WordPress login form.

Preventing XST

A cross-site tracing (XST) attack exploits ActiveX, Flash, and Java, enabling the execution of an HTTP trace request.

This lets a hacker to gain access to a person’s web cookies and authentication credential information.

You can easily shield your site for these kinds of attacks by adding the following lines to your .htaccess file:

RewriteEngine On


RewriteRule .* – [F]

Disable directory indexing

Disabling directory indexing is another excellent solution when there’s no default file present, and your files and directories are visible to the public.

Of course, you could solve it by simply providing a recognized default file, such as an empty index.html or index.php.

But this would require you to create a default file in every publicly visible directory.

This creates too much overhead, and you may forget to put a blank index.html file when you have a new folder.

Fortunately, there’s a far easier solution: disabling this via the .htaccess file. To do this, you’ll need to add the following line to your .htaccess file:

Options -Indexes

This way no one would be able to snoop around the directory in which you’ve added the .htaccess. And it will be applied to all of this folders subdirectories too.

Robots.txt Security

The robost.txt is a file that will indicate to search engine crawlers which files and/or directories should and shouldn’t be indexed.

By default, most servers or hosting accounts won’t provide such a file to, as they leave it up to the user to take care of the search engine optimization.

And that’s not at all a bad thing. Especially when it comes to securing your website, it’s certainly advisable to create such a file.

Using a robots.txt file, you can prevent search engines from showing others just exactly which themes or plugins you are using in the search engine results.

This way you could prevent hackers from searching for a specific theme or plugin (if an exploit or leak exists) and having them finding your site via the search results.

To create such a robots.txt, you can use a simple text editor.

In the file named as “robots.txt”, you should enter following rules in this text-file:

User-agent: * Disallow: /cgi-bin

Disallow: /wp-admin

Disallow: /wp-includes

Disallow: /wp-content/plugins

Disallow: /wp-content/cache

Disallow: /wp-content/themes

Allow: /wp-content/uploads

Once you’ve created this file (in notepad or any other text editor), you should upload it to the root of your WordPress website.

This is the directory that contains the following 3 folders:

  • wp-admin
  • wp-content
  • wp-includes

In most cases, this directory is called “www” or “httpdocs”.

If you’re not too sure about where to place this file, you should contact your hosting provider for directions as each server can be configured differently.

You should also take note that the implementation of a robots.txt file won’t have its desired effect right away.

This is because the crawler of the search engine will have to first revisit your website, find the robots.txt and read it to know how and what to index on your website from now on.

This whole process could take anywhere from a couple of hours to a couple of days, depending on how often search engines will crawl your website.

Installing extra security server packages

You can raise the overall security of your website by installing some security-specific software packages on your server.

Of course, contrary to most of the suggested techniques we have discussed, this would require you to have root access to the server that is hosting your website.

One excellent security package is the popular Fail2Ban package.

How Fail2Scan works is by scanning the logs on your server (the error_log files) and temporarily bans IPs addresses that have failed too many login attempts or which are searching for exploits.

a bit more secure.

Fail2Ban is a console app and therefore means you’ll need to gain root-access on your server to be able to install and run this application using SSH.

Part 2: Basic WordPress Security

Once your server has been properly configured, it’s time to move to the next step and take a look at your “main event” – Your WordPress installation.

First, we’ll be adding some plugins to our WordPress-website to improve security. Then we’ll take a look at how we can deal with security when it comes to plugins and themes.

And finally, we’ll go over the extra steps inside WordPress itself that you can do to reinforce your security.

WordPress Security Plugins

With the growing number of attacks and hacks directed towards WordPress websites, there has been an increase in the need for security solutions.

Many developers have built plugins for WordPress to address this issue. While there are actually quite some security plugins available for the WordPress platform, we’ll be looking into only 3 specific plugins:

  • WP Limit Login Attempts
  • Wordfence Security
  • iThemes Security

With just these 3 plugins, you can pretty much cover every possible security tweak you’d possibly need.

Also, by limiting to only 3 plugins for security, your website’s speed and performance will not be significantly affected.

Every single WordPress plugin requires a certain amount of processing power and ram memory to run, so the more plugins you use, the slower your website will load.

With just these three plugins you can choose which plugins you will use, depending on your requirements.

So for example, if your WordPress site doesn’t have a login page, you can choose just Wordfence Security and iThemes Security.

Warning: Before making any changes to your WordPress installation covered in the following section, you should always create a backup of your database.

This way, if any of the changes you did cause conflict, you can always roll back to the state before the changes.

Even though these plugins are safe together with most other plugins, it’s better to be safe than lose weeks or even years of hard work.

WP Limit Login Attempts

Brute force attack is a hackers’ term to describe using a trial-and-error method to gain access to restricted areas.

To stop brute-forcing attacks (where usernames and passwords will be entered randomly until a working combination is found) from happening on your WordPress site, you can install the WP Limit Login Attempts plugin.

The downside of using this specific plugin is that it only protects you against brute forcing attacks. Do note that this functionality is also included in the iThemes Security plugin.

Once activated and set up, incorrect login attempts on your login form will result in an error message for the person trying to log in.

How WP Limit Login Attempts works is that it limits the number of attempts that can be made via the login form or authentication cookies.

Once the limit of incorrect attempts is reached, the IP address will be blocked for the period of time (which can be set by you).

Wordfence Security

This is a great security plugin is Wordfence Security to protect your WordPress site from malware.

Malware stands for malicious software. Malware is software built by hackers to do harm to data, people, or in this case – your website.

When you activate Wordfrence security plugin, it scans your database and blocks any incoming malware, protecting your site from harm.

Wordfence Security uses a “freemium” model, which means some features are available for free, while others are available if you buy the full version.

iThemes Security
This is yet another great plugin that every WordPress site owner should use. According to its developers, iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site.

Based on the development team’s statistics, an average of 30,000 new websites are hacked each day as WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords, and obsolete software.

iThemes Security works to plugged common loopholes, stop automated attacks and reinforce user credentials. With additional features for advanced users, the iThemes Security plugin can help keep your website safe from hackers.

Part 3: Other WordPress Security Measures

These are the security tweaks you can use that can further strengthen the security of your WordPress site.

Themes Security

Themes are a great feature in WordPress. With themes, you can create the perfect website design that reflects your business. There is nearly an endless selection of themes suitable for any type of business need.

But do you know that about 25% of WordPress hacks happen through a loophole in a custom theme?

Because of this, you need to deal with themes securely. Always update your theme when an update is released.

Also, never just install any theme that you find. A free theme isn’t always free and may contain malware.

While WordPress is open source and in essence “free” to use. Most people starting out with a WordPress website will some point start looking for a nice theme for their site.

For a lot of people, this is where the problems start. Most people think they can just download a theme for free instead of shelling out over 100£ for a professionally built theme.

The shocking fact that most users fail to realize is that as many as 8 out of 10 themes contained malicious code, allowing abuse of the WordPress website on which the theme would be installed.

While some free themes may be non-malicious in nature, most free themes still have the following disadvantages:

A great number of them includes unoptimised code
Some themes are gated behind an opt-in form, which means you can’t download it without subscribing to specific mailing lists (which may send you spam emails)
Not every free theme gets updates that patches security loopholes or exploits
That’s why I would personally suggest the use of premium (paid) themes. There are quite some advantages, such as guaranteed support on these themes, quality coding, and theme updates.

When you’re buying a theme, you should always buy from credible marketplaces such as Elegant Themes, Themeforest, and WooThemes.

WordPress Setting Tweaks

Protecting your WordPress site is all about bringing down the number of options for hackers to carry out their attacks to as low as possible.

In this section, we’ll look at some of the modifications you can do to increase the overall security of your WordPress website.

– Generator Meta Tag: By default this is turned on, thus removing the

information from the header. This should be kept on.

– Remove the Windows Live Writer header: By default, this is turned on. You should leave this turned on.

– Edit URL Header: Enabling this option removes the Really Simple Discovery header information. Unless you are integrating your blog with external services over XML-RPC (such as Flickr), it’s better to turn this on.

– Comment Spam: Turn this on to decrease comment spam.

– Display Random Version: When enabled this function will display a random WordPress version number anywhere a version number is required to be displayed.

– File Editor: Enabling this option will remove the function to edit theme and plugin-files from the backend. You should ideally turn this on.

– XML-RPC: This function has 3 options. By default, it is set to off. You can choose to set it to “Only Disable Trackbacks/Pingbacks” to avoid denial of service (DDoS) attacks via the trackback/pingback feature.

– Login Error Messages: While this option is disabled by default, you should double check that it stays off.

– Force Unique Nickname: Like Login Error Messages, this should be turned off and remain off.

– Disable Extra User Archives: If you have an author on your WordPress site has 0 posts, this should be turned on.

Removing The Admin-User

that a substantial number of WordPress sites only uses the default “admin” user.

With such a generic username, hackers only need to find your password to gain access to your WordPress backend.

This is a simple tweak that is often overlooked by website owners. Simply create a new user with administrator permissions and then removing the current “admin”-user.

This way, your website won’t end up as a low hanging fruit for hackers.

Hiding login error messages

You’ve probably noticed that WordPress tends to give you an indication of what’s wrong when you enter incorrect data in the login screen.

However, smart hackers can use this info to verify if they got the username or the password wrong. And because of this, it’s safer to hide these messages altogether.

This can be done by adding one single line of code to the functions.php file of your current theme:

add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

Of course, if you’re using the iThemes Security plugin to hide the login error messages, this change is no longer necessary.

Final Words

Your website is an extension of your brand and your business. It is your very own piece of virtual real estate.

And just like a real property, you need to have the proper security measures in place to deter wannabe intruders.

Fortunately, you don’t need to spend hundreds or thousands of pounds just to keep your website safe.

Whether it’s keeping yourself informed with the latest security news, or installing the latest updates for your WordPress backend, you should make a conscientious attempt to keep up before it’s too late.

To make sure you stay aware of the latest security info your website, you should check back here regularly for more guides and tips to protect your interests.

About Murray Dare

Murray Dare is a Marketing Consultant, Strategist and Director at Dare Media. Murray helps UK businesses find better ways to connect with their audiences through targeted content marketing strategies.