Ultimate Guide to Securing WordPress

**UPDATE** – View my WordPress Security Guide instead of the link below – it has more in depth information to secure your wordpress blog than the post below – and it’s free!

Last month I wrote the Ultimate Guide to Securing WordPress for NetTuts+. It is an all probability one of the longest articles that I’ve ever written (8,000 words). Through about 75 hours of research I wrote an exhaustive guide that is a must-read for every WordPress owner.

What you will learn:

How to scan and look for exploits in your WordPress site
How to monitor your WP site for theme file changes
How to limit access to your WP site
How to use Secure FTP
What to look for in a good web host
How to make your usernames and passwords more secure
How to lockdown comments and lockout bots
How to find and monitor errors
How to use a more secure connection
What you should change in your wp-config file

I wrote this guide for several reasons. In the last few months I’ve had a few clients that had their wordpress sites broken in to, and I had to fix them and teach them how to implement some wordpress security. A few forums I frequent had some posts where people panicked about cross site scripting (XSS) attacks and wordpress “viruses”. When I started to do some research I found bits and pieces of information all over online, but nothing “all in one place” – and that’s the way this guide was born!

Check out The Ultimate Guide to Securing WordPress, you’ll be glad you did!

If you’re not a NetTuts member, you might instead be interested in my WordPress Security Guide.

JTPratt Media offers Malware Removal and WordPress Security Services

10 Comments

John @ Sunset Classics on July 31, 2009 at 9:54 am

Getting your site hacked is no fun – and a huge waste of time. I had mine hacked last year (I didn’t have a good password and someone figured it out) I had someone run a script that added malicious code to all my index.html pages. And since they were classic car and vintage VW sites we had hundreds of index pages for all the photo galleries of each car! Let’s just say the web hosting company was useless in fixing it – I had to manually re-upload all the files one by one. Not fun.

Bottom line, use secure passwords! 🙂
Thanks for putting together a comprehensive guide JT – wish I had that last year. 🙂
.-= John @ Sunset Classics´s last blog ..Unique 1971 VW Beetle Half Original Half Restored =-.

estrazioni superenalotto on August 1, 2009 at 3:24 am

Hi, and thanks for this guide! Indeed security is becoming a huge problem, especially for WP. I had problems with spam comments and this eventually can damage your rankings… not to mention bigger problems like password security etc etc… again, thanks!
.-= estrazioni superenalotto´s last blog ..Estrazioni Superenalotto: 200 milioni di Jackpot…? =-.

Driver Genius on August 1, 2009 at 11:26 pm

I had a large number of blogs hacked into last year. My mistake was not updating the source code – I was still using some old version like 2.1. There was an insertion attack available that eventually affected several blogs and I spent a lot of time repairing damages.
.-= Driver Genius´s last blog ..Driver Genius – Professional Driver Management =-.

David @ Predator Costume on August 7, 2009 at 10:19 am

Man what a great post. It is such a shame when trying to harness the power of WordPress their people out there that have nothing better to do than destroy what others build. It’s great you are giving people using WordPress valuable information to help them secure their websites.

Thanks for the great information on WordPress.
.-= David @ Predator Costume´s last blog ..Privacy Policy =-.

Jackie@Halloween Costume Ideas on September 5, 2009 at 2:44 pm

My brother just had one of its sites hacked into. The entire site was changed to another language! I realize now that I need to take more actions to secure my sites too. Thanks for the security guide. I’m sure I’ll make good use of it!
.-= Jackie@Halloween Costume Ideas´s last blog ..Party Ideas For Adults and Kids =-.

Sheilah@MedievalKnightCostume.com on September 6, 2009 at 9:28 pm

Thank you so much for the “Ultimate Guide to Securing WordPress.” I have worked so hard on my WordPress blogs and would be devastated if something happened to my blogs like John@Sunset Classics and Driver Genius had happen to theirs.
.-= Sheilah@MedievalKnightCostume.com´s last blog ..Costume Shield, Armor & Accessories, Kids & Adults =-.

Hallow@Robocop Full Body Costume on September 9, 2009 at 5:55 pm

This is the nightmare for every blogger. Last month I had one of my sites hacked. Now I will never ignore the updates which one gets all the time whether it is for the WordPress or plugins.
Thanks for giving us more info on blog security.

Gordon on September 13, 2009 at 4:03 pm

Thanks for putting so much effort into the production your comprehensive WordPress security guide.Security is a big worry for us all, and I guess more so for newbies to WordPress and Blogging in general.Making sure you are running the lastest versions of WP and what ever plugins you are running seems vital. Thanks again for the essential tips.
.-= Gordon´s last blog ..Halloween Themes For Couples & Groups =-.

Helene@Hair color beauty on September 18, 2009 at 8:15 pm

Thanks for this detailed guide on WordPress security. I’ve started implementing some of them on my site. It’s such a pain when your site is hacked into. All you have to deal with is just like a nightmare.

wilkesy @ Halloween Costumes on February 8, 2010 at 8:25 am

If someone hacks into your site you can spend months trying to repair the damage. For the sake of an hour you may aswell follow the advice above and secure your site up as much as possible. Believe me its worth it.
.-= wilkesy @ Halloween Costumes´s last blog ..Fancy dress shop =-.

John @ Sunset Classics on July 31, 2009 at 9:54 am

Getting your site hacked is no fun – and a huge waste of time. I had mine hacked last year (I didn’t have a good password and someone figured it out) I had someone run a script that added malicious code to all my index.html pages. And since they were classic car and vintage VW sites we had hundreds of index pages for all the photo galleries of each car! Let’s just say the web hosting company was useless in fixing it – I had to manually re-upload all the files one by one. Not fun.

Bottom line, use secure passwords! 🙂
Thanks for putting together a comprehensive guide JT – wish I had that last year. 🙂
.-= John @ Sunset Classics´s last blog ..Unique 1971 VW Beetle Half Original Half Restored =-.
estrazioni superenalotto on August 1, 2009 at 3:24 am

Hi, and thanks for this guide! Indeed security is becoming a huge problem, especially for WP. I had problems with spam comments and this eventually can damage your rankings… not to mention bigger problems like password security etc etc… again, thanks!
.-= estrazioni superenalotto´s last blog ..Estrazioni Superenalotto: 200 milioni di Jackpot…? =-.
Driver Genius on August 1, 2009 at 11:26 pm

I had a large number of blogs hacked into last year. My mistake was not updating the source code – I was still using some old version like 2.1. There was an insertion attack available that eventually affected several blogs and I spent a lot of time repairing damages.
.-= Driver Genius´s last blog ..Driver Genius – Professional Driver Management =-.
David @ Predator Costume on August 7, 2009 at 10:19 am

Man what a great post. It is such a shame when trying to harness the power of WordPress their people out there that have nothing better to do than destroy what others build. It’s great you are giving people using WordPress valuable information to help them secure their websites.

Thanks for the great information on WordPress.
.-= David @ Predator Costume´s last blog ..Privacy Policy =-.
Jackie@Halloween Costume Ideas on September 5, 2009 at 2:44 pm

My brother just had one of its sites hacked into. The entire site was changed to another language! I realize now that I need to take more actions to secure my sites too. Thanks for the security guide. I’m sure I’ll make good use of it!
.-= Jackie@Halloween Costume Ideas´s last blog ..Party Ideas For Adults and Kids =-.
Sheilah@MedievalKnightCostume.com on September 6, 2009 at 9:28 pm

Thank you so much for the “Ultimate Guide to Securing WordPress.” I have worked so hard on my WordPress blogs and would be devastated if something happened to my blogs like John@Sunset Classics and Driver Genius had happen to theirs.
.-= Sheilah@MedievalKnightCostume.com´s last blog ..Costume Shield, Armor & Accessories, Kids & Adults =-.
Hallow@Robocop Full Body Costume on September 9, 2009 at 5:55 pm

This is the nightmare for every blogger. Last month I had one of my sites hacked. Now I will never ignore the updates which one gets all the time whether it is for the WordPress or plugins.
Thanks for giving us more info on blog security.
Gordon on September 13, 2009 at 4:03 pm

Thanks for putting so much effort into the production your comprehensive WordPress security guide.Security is a big worry for us all, and I guess more so for newbies to WordPress and Blogging in general.Making sure you are running the lastest versions of WP and what ever plugins you are running seems vital. Thanks again for the essential tips.
.-= Gordon´s last blog ..Halloween Themes For Couples & Groups =-.
Helene@Hair color beauty on September 18, 2009 at 8:15 pm

Thanks for this detailed guide on WordPress security. I’ve started implementing some of them on my site. It’s such a pain when your site is hacked into. All you have to deal with is just like a nightmare.
wilkesy @ Halloween Costumes on February 8, 2010 at 8:25 am

If someone hacks into your site you can spend months trying to repair the damage. For the sake of an hour you may aswell follow the advice above and secure your site up as much as possible. Believe me its worth it.
.-= wilkesy @ Halloween Costumes´s last blog ..Fancy dress shop =-.