Damir Mujic

Safe(r) WordPress Installation – How to Avoid Being Hacked From a Web Hosting Point of View

WordPress is certainly one of the most popular Content Manager Systems (CMS) which, according to estimates, is a base for every sixth website. That is exactly what makes WP an exceptionally appealing target for interested parties: hackers, authors of various invasive scripts, or frivolous kids who try to hack a neighbor’s website out of boredom. Through security flaws of the application alone or plugins that are used in it, they attempt (and sometimes even succeed) to put malicious content on servers. That content allows them to initiate DDOS attacks, send copious amounts of spam, or cause minor issues that affect the efficiency of a server that hosts the compromised website or any other server targeted by their attack.

Nevertheless, almost every security flaw is caused by so-called “bad practice” even during the initial installation of WP, or by the lack of further application maintenance. In fact, we sometimes receive inquiries such as “Why doesn’t it (application) work now, yet it has worked for the last XY years?”, which contains the answer within itself – using the same, outdated application for several years (a period arbitrarily used for the sake of example, as sometimes even a couple of months is enough) is an equivalent of posting a large sign in front of your open entrance doors, saying “Free entry, no one is home!” – Sooner or later, something bad is bound to happen. That can vary from leaving a message “Hey, you forgot to close the door!” (or leaving a textual message with the hacker’s signature in the folder of the application) to complete destruction of everything in the house (deleting important documents, installing malicious scripts that allow the initiation of various attacks, generally jeopardizing server stability and so on).

In this text, we will go through some of the useful steps you should undergo during a fresh WP installation on Linux servers.


1. Using Admin user

During the installation of WP, a user is given a choice of naming the admin user who can access each segment of the application they will be using. Many scripts automatically attempt to attack the domainname/wp-admin access interface by using the standard admin, Admin, administrator, Administrator, root or Root usernames, thus making it smarter and advisable to use an alternative username for the main login.

2. Using complex passwords

A standard security tip is using a combination of lowercase and uppercase letters, numbers and special characters, with 10 or more characters, in order to make it harder for automated invasive scripts. The five most used automated attempts to break through passwords in mass attacks earlier this year were: admin, 123456, 111111, 666666, and 12345678. Even though their simplicity makes these passwords (and similar ones) tempting, their use leaves a delicate vulnerability exposed, one that can become way more problematic than simply trying to memorize (or write down somewhere safe) and use a password such as 4vAl0n3!2$.

3. Changing the WP nickname

Automated scripts will frequently check for all the posts on your website while searching for all the tags or author names, and attempt to use them to access the site´s administration. In order to avoid this problem, in the WP admin panel, under Profile or Users add Nickname and, in the “Display name publicly as” field, choose a different value than the one you want to use for access.

4. Backup organization

In any case, you should periodically back up your entire root folder of the application and database locally, in a safe spot, in order to have a new restore point in case of a security breach. If the breach is present on the state of the application you have in your backup, restoring the backup back online will not remove the problem itself, but will significantly shorten the time you would have spent on posting content from scratch.

5. Changing the installation prefix in the base

During a new installation of WP, the application will offer you the “wp_” prefix in the database. It is advisable to change this prefix in order to make it harder for any possible scripts that attempt to attack the database.

6. Limiting the use of various plugins, add-ons and themes

Besides lowering the security bar of your system, using a plethora of various add-ons and themes in your application can slow your website down. Limit the use of plugins to the ones you really do use, and delete all the excess add-ons and themes in order to lower the risk of a breach. It is also of essential value to update all the aforementioned parts of the application in order to maintain the level of security. If a plugin is outdated or becomes incompatible with newer versions of WP, be sure to delete it and find a replacement, as it is only a matter of time until a security flaw is found and abused, thus increasing the risk of a breach. In case of an actual breach, maintaining a “clean” system (by deleting all unused components) will provide easier and painless diagnostics and troubleshooting.

7. Removing application version information

Removing the information regarding your application’s version is a small yet very useful step when it comes to making it harder for automated scripts used for attacking WP. In order to do this, add this in the functions.php file of the theme you are using:

// complete version removal

function complete_version_removal() {
return '';
add_filter('the_generator', 'complete_version_removal');

8. Not allowing new users to register

If you are managing a blog or a website that is not supposed to have any other users besides the administrator, then disable the option for registering new users in the General settings of the administration panel (“Membership” – turn off “Anyone can register”). Also, in order to avoid further possible automated attacks, delete the wp-register.php file. You can also rename it just in case a need to use it in the future arises.

9. Wp-config.php file protection

In order to deny unauthorized users access to the wp-config.php file, add this code to the .htaccess file:

<Files "wp-config.php">
order allow,deny
deny from all

That way, your file will be inaccessible in any way except via ftp or cPanel administration. The other way to protect your file is to transfer it to the parent folder (if you installed WP under the /public_html/ folder, then transfer the wp-config.php to the home folder). Also, change the read/write permissions of the file to 0600 in order to prevent any changes.

10. Not allowing access to “include-only” files

As an added security measure, in the .htaccess file, disallow the access via a web browser to the part of the application which is supposed to be accessed only by you through the admin panel. Add these lines:

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

This way, every attempt to access standard folders in each WP installation will be denied to external parties.

11. Allowing SSL login

If your website uses an SSL certificate, by adding these lines to the wp-config.php file, you will allow the sending of information and access data via a protected link:

//SSL for common user login

define('FORCE_SSL_LOGIN', true);

//SSL for admin login

define('FORCE_SSL_ADMIN', true);

12. Deleting readme and other unnecessary files

WP and many plugins use readme.html files which contain information about versions and other data that does not need to be publicly available. Therefore, it is a good idea to remove them from the server. It is also advisable to delete all the files you are sure you personally did not post on the server.


Other pieces of advice are the basics of secure WP use.

1. Keep your WP and plugins updated

Making sure your WP and plugins are updated is one of the essential steps for maintaining a secure application, and, in most cases, the only thing you need to do is click “Update”. However, as WP is a free CMS, it is publicly accessible to all interested parties, which means that people with ill intentions have more time to find and abuse security flaws for as long as a certain version of CMS is outdated. If a plugin stops being developed, try to find a replacement for it. Considering the fact that the number of plugins for WP is constantly growing, it is almost certain that you will find some with the same (or better implemented) functionality, with the addition of security.


2. Take care of local security

Use antivirus protection on the computer you use to access the admin panel of the website and avoid using unsecure computers while doing so. Keyloggers (programs used to record typed data on a computer) are some of the most frequent causes of password breaches.

3. Download plugins and themes from secure locations

Browse plugins and themes via the search option in the WP admin panel, or by official websites. Most of the websites you encounter while looking for free add-ons for WP via various search engines are infected with some sort of malware, and it is only a matter of time and luck until you encounter some issues.

These steps are certainly not the only ones you can use to ensure safety. Which actions do you take to make sure your application is safe?

Search posts archive