How I secure my WordPress blogs

Posted on by htm

Yes, this blog is run on Blogger, but I have several WordPress blogs. I got so sick of my WordPress blogs getting hacked that I finally started to password protect my wp-admin directory with an .htaccess password. That worked perfectly for awhile, until I discovered that I could not use friendly URLs with that setup. I reluctantly took the .htaccess password off of the wp-admin directory and used the following techniques to secure my WP install.

  • Change the Database Prefix
    Don’t use the default database prefix in the wp-config.php file. Change it to something other than “wp_”
  • Protect Your wp-config.php File

    Add the following to the .htaccess file:

    <Files wp-config.php>
    order allow,deny
    deny from all
    <⁄Files>

  • Protect Your .htaccess File

    Add the following to the .htaccess file:

    <Files .htaccess>
    order allow,deny
    deny from all
    <⁄Files>

  • Hide the WordPress version

    Add the following to the the functions.php file for the theme you’re using.

    remove_action(‘wp_header’, ‘wp_generator’);

    Additionally, adding the following removes the version from the RSS feeds:

    function wpt_remove_version() {
    return ”;
    }
    add_filter(‘the_generator’, ‘wpt_remove_version’);

  • Install a plugin that limits the number of login attempts
    There are several, but you can download one here.
  • Don’t use “admin” as your username
    Obviously, change your username to something other than “admin.”
  • Use a strong password
    Make sure your password is at least 8 characters in length, preferably 10 or more.

  • Protect the wp-admin folder by IP

    You can restrict who can access the wp-admin folder. Add a separate .htaccess file in the wp-admin folder, and add the following code that contains your IP address. Keep in mind, if you’re traveling you’ll have to remove the .htaccess file from the wp-admin folder to administer your blog.

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “WordPress Admin Access Control”
    AuthType Basic
    <LIMIT GET>
    order deny,allow
    deny from all
    # whitelist IP address
    allow from 72.165.46.
    # whitelist another IP address
    allow from 25.27.2.
    </LIMIT>

Leave a Reply