Design, CG Graphics & Inspiration
10 WordPress Security Tips

10 WordPress Security Tips

WordPress is popular today more than ever and there are a lot of different websites made on this CMS – blogs, corporate websites, online stores or even large portals. No doubt, WordPress is convenient and easy to use but it has several security issues. Today we will resolve them all.

1. Protecting WordPress from XSS-Injections

Developers are always trying to protect GET-and POST-requests but sometimes this is not enough. We also need to protect a website from the XSS-Injection and attempts to modify the variables and GLOBALS _REQUEST.

The following code blocks XSS-Injections and attempts to modify the variables and GLOBALS _REQUEST. Paste this code into your .htaccess file (see root folder).

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

The code allows to check all requests and if any request contains a tag or attempts to modify the value of variables GLOBALS and _REQUEST it just blocks it and shows 403 error page.

2. Remove displaying of additional information

If you enter wrong details while trying to log in the admin panel our polite CMS will tell you about it. Well, do you want a hacker know that login details he entered are incorrect or its better not to display this information?

Open functions.php file (wp-content/themes/your_theme_name) and add just 1 line of code:

add_filter('login_errors',create_function('$a', "return null;"));

3. Forcing SSL

If you want to protect the information you transfer the best way is to use SSL protocol. It provides integrity and confidentiality of data. Its very easy to do it on WordPress.

First of all find out if your provider allows using SSL. If so, open we-config.php file and add this code:

define('FORCE_SSL_ADMIN', true);

WordPress uses large number of constants and FORCE_SSL_ADMIN only one of them. It forces SSL using when entering the admin panel.

4. Use .htaccess to protect the wp-config file

wp-config.php contains all information needed to connect to MySQL server and database. Its very important to protect this file.

Add the following code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

We simply forbid access to this file for anyone.

5. Hide the WordPress version

Wordpress authomatically adds the number of its version to the source code and its very easy for somebody to use this information while hacking your site. Each WP verstion has its well known bugs and loopholes. So, lets hide this information.

Open the functions.php file (wp-content/themes/theme_name/) and simply add this code:

remove_action('wp_head', 'wp_generator');

You should also delete the readme.html file from the root folder since it also contains information about your WP version.

6. Ban all spamers and bots

Annoying spamers and bots can bring you a headache. Solution is to ban them by IP. Of course this will not protect you from spamming scripts that work through proxy.

Add the following code to .htaccess file and then change IP address (123.456.789). This is it.. that spammer will not disturb you any more.

order allow,deny
allow from all
deny from 123.456.789

7. Write a plugin to protect from harmful URL-queries

Hackers very often try to find weaknesses with the help of all kinds of malicious queries. WordPress well protected from this but we will add extra protection.

Create a new file blockbadqueries.php and put it into wp-content/plugins folder. Then activate it in the admin panel just like any other plugin.

Plugin Name: Block Bad Queries
Plugin URI:
Description: Protect WordPress Against Malicious URL Requests
Author URI:
Author: VellumWeb
Version: 1.0
global $user_ID; 
if($user_ID) {
  if(!current_user_can('level_10')) {
    if (strlen($_SERVER['REQUEST_URI']) > 255 ||
      strpos($_SERVER['REQUEST_URI'], "eval(") ||
      strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
      strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
      strpos($_SERVER['REQUEST_URI'], "base64")) {
        @header("HTTP/1.1 414 Request-URI Too Long");
	@header("Status: 414 Request-URI Too Long");
	@header("Connection: Close");

8. Hotlinking

Just imagine that some images from your websites appear at popular chinese news site (I mean links to your images).. its horrible :)

Hope you didn’t close the .htaccess file. Now we need to put some code into it:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

You will have to change mysite\.com/ and /images/nohotlink.jpg

9. Kill the admin

Its very easy to to get admin login details if you know username. And you know that WP default username is admin.

Complete this database query:

UPDATE wp_users SET user_login = 'type_your_new_login' WHERE user_login = 'Admin';

10. Protect directories on your server

Many hosting providers allow to view directories on their servers. For example if you go this link you may see its content. Undoubtedly this is not safe.

We need to edit the .htaccess again:

Options All -Indexes

So your WordPress website protected but do not forget about “sign out” button :)

  • Splashnology Editors,
  • April 11, 2011


This post has been written by the team here at

Subscribe for the hottest posts

Subscribe to our email newsletter for useful tips and freebies.