Hacker, Researcher and Author.

How To Secure Your Wordpress Blogs?

Hackers are the person like you and us but the only difference is that they use their skills for the negative and destructive purposes, they use their skills to break a website, they normally destroy all the stuff's, so if you are a admin of a website you should care about the security of the website.
 As you know that the wordpress is a common and most popular plate form for blogging, but the security of the wordpress is always a hot discussion and it need more and more concentration because vulnerability discover everyday. Below are some tips to make your blog secure:

Secure WP-Admin By IP

Let suppose if someone can get the ability(username & Password) to enter into your website WP section, you can restrict this area by your IP. It prevent brute forcing attack and only you can able to control on your website because of IP restriction.

Order deny,allow
Deny from All
Allow from 123.456.789.0

You can allow and deny IP's from a range use this:
order deny,allow deny from all # allow my home IP address allow from XX.XX.XXX.XXX # allow my work IP address allow from XX.XX.XXX.XXX

Protect WP-Config.php File

WP-Config.php file has a great importance on wordpress plate form, it need more care and usually an attacker get the required information about the database of your website from WP-Config file. Basically if you use a strong database user-name and password while your WP-Config security is low than an attacker can get your strong user-name and password from wp-config file, because it contain all the information about the security and other things of your website.

Access .htaccess file is located at the root your WordPress installation open it and paste the following code.

order allow,deny
deny from all

Hide WordPress Version Number

You must hide the version of your wordpress because an attacker may find the available exploit by searching it on different exploit database by version number and it may cause a great harm for your blog so be care about it.

This tag is in the header.php file that displays your current version of wordpress

Copy and paste the code in the functions.php file of your theme and than you are done.

remove_action('wp_head', 'wp_generator');

Remove Error Message From Login Screen 

This is your clever move to remove the error message that an attacker would not able to see if the user-name and password incorrect, update your function.php by this code.

add_filter('login_errors',create_function('$a', \"return null;\"));

Some Other Security Tips

Use your mind because mind is an essential part to secure yourself on the jungle of web.

  • Create strong passwords that are not easily be guess or crack.
  • Secure your own side(your computer) from different malware.
  • Make regular backup of your blog.
  • Update your wordpress to latest version
  • Use SSH instead of FTP
  • Avoid using your account on public places
  • You must be ware on different attacks to secure yourself.

About The Author

This post is written by an Irfan Shaeel An Ethical hacker and Penetration tester, Irfan blogs At his blog Ehacking.net


  1. Very Nice Article Rafay
    we should use wp-security plugin which tells the file to needed chmod

  2. @Shahroz Awan
    Yes I would certainly recommend wp-security plugin, but the only problem is that it has some issues with thumbnails.

  3. So it is dangerous using this plugin for my blog?

  4. thanx for all those useful securing tips, is it possible that any malicious code can enter from comments and spoil website? usually comments are stored in database, and if unknowingly any comment is accepted it might damage the database? can we save comments into the file instead of database.
    thnx for the help in advance.

  5. @Shahroz Awan
    It's not dangerous at all, I have heard that it has some issues with thumbnails.

    @Buzz Paras
    It could be dangerous if the database fails to authenticate the malicious code. The attack you are talking about is called Input validiation attack. Google it to know more about it

  6. - The .htaccess code given above will block ALL access to your site. No one will be able to visit your site at all. The code needs to be modified to target access to wp-config.php only.

    - Removing the generator meta tag is quite pointless because WP appends the WP version number to javascript and CSS file links. So you can find out the version number from those.


© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.