Wednesday, December 21, 2011

Quick Guide to a Secure WordPress Setup

WordPress is, by far, the most popular blogging and content management system used around the world. There are nearly 70 million active WordPress installs, which means there are 70 million websites hackers and malware distributors know how to exploit. Securing WordPress is critical to the success of any WordPress-powered website and even the most un-tech savvy blogger can take some steps to ensure a secure install. Don’t let your hosting company fool you – WordPress sites are vulnerable to several kinds of attacks no matter how secure the hosting environment is. These include “script injections" where security flaws in your WordPress install, theme or plugins can allow an attacker to modify your site files, inserting download links, redirects or other malicious content. These attacks are hard to reverse, and have some pretty annoying side effects, like getting your site blocked by Google or causing unwanted downtime.


Here are 8 simple steps to a secure WordPress install that will help avoid these hassles and give your WordPress site an edge over the other 70 million.

1. Create a separate database with a separate username.

Most large hosts offer a one-click install of WordPress, which may sound convenient, but it probably isn’t secure. These installs add a bunch of themes and plugins you don’t need, and which aren’t necessarily kept updated or tested for security. They also create a default “admin” user, which breaks the first rule of WordPress security.

Using your hosting control panel, create a new database that will be used exclusively for WordPress. When creating the database username and password, use a different username than you plan to use for WordPress, and either auto-generate the password or choose something complex. Your database secures the vault of information for your website – if an attacker gets in, it’s game over.


2.Choose a unique table prefix and username

As you go through the WordPress install, you are asked for your database credentials (created in Step 1) and a table prefix. If you choose something unique, you will successfully thwart any automated attack scripts looking for the default WordPress database prefix. Additionally, do not use the default “admin” username. Choose something else – preferably something not related to your website name that would be hard to guess. As always, your password should be 8 or more characters and include at least one number and special character ($#%^ etc.)


3. Cleanup your installation

Access your WordPress install through your hosting file manager or an FTP program. Delete the readme.html file located in the main (root) folder, and the install.php file located in the wp-admin folder.


4. Install a reputable theme.

Make sure the theme you install is from a reputable source. If you decide to go with a free theme, use the Theme directory inside WordPress to find one, or check out the free theme page on These themes have passed WordPress inspection and are less likely to contain malicious code. They are also more likely to be updated by the author as security flaws are discovered or changes to WordPress are released. Whatever you do, never install a theme you download from bittorrent or another file repository on a public site or a client site. These “nulled” themes almost always have download links, tracking scripts or other bad modifications.


5. Install reputable and actively updated plugins.

The next thing you probably want to do is begin extending your WordPress install with some plugins. Go for a set of plugins that are known to be highly compatible, reputable and actively developed. How can you tell? When browsing for plugins on the Plugin install page, click on “View Details” to see how many votes the plugin has received to achieve its rating, and if it is compatible with the current version of WordPress. offers a list of Recently Updated plugins, as well as recommended plugins based on their own reviews and those of the community. Above all, only install plugins you need, and delete any you have installed but don’t intend to use.


6. Optimize your WordPress settings

For most sites, the following settings are appropriate and best for optimal security.

General Settings:

Change the default role to Subscriber.

You may also want to uncheck Anyone can Register. It is better to encourage logins from social networks instead.

Discussion Settings:

Always force visitors to fill out their name and email, and hold comments for moderation. If you want to allow all comments for SEO reasons, it is better to use an alternative comment system such as Disqus or LiveFyre that handles authentication and spam protection for you and does not give visitors a direct input to your WordPress database.

See this article on the WordPress codex for more on how to spam-proof your WordPress comments.


7. Secure WordPress with security extensions

If you haven’t already, now is the time to install a set of must-have security extensions that will protect your site and help you maintain its security.

Bulletproof Security

This plugin is the undisputed champ of WordPress security plugins. It creates special WordPress-compatible security files for your web space that keep attackers and malware scripts from being able to access any part of your WordPress installation, particularly your vulnerable cache and upload folders, which are exposed to the public. Once installed, simply select “BulletProof Mode” under each section of the Security Modes tab, and click Activate. When complete, check your Status (which should show an all-green list).


Secure WordPress

Secure WordPress takes care of the remaining manual security tweaks that you would otherwise have to do yourself. If you had to skip the initial part of this process for any reason, Secure WordPress will also help you deal with a bad username or database prefix.Once installed, check off all the available options and click Save.

8. Update!

The key to maintaining your website’s security is to stay on to of updates. Visit your Dashboard menu and click on “Updates” to see what is available. Perform any updates that need to be done on a regular basis. Next, install Ultimate Security Checker. Use this plugin to monitor your site’s security and periodically check for issues which can be caused by changes to your install such as updates, new plugins or inserted content. Once installed, you will see a link in your admin toolbar to check your website. In most circumstances, your score should be a B or above. Some items will be scored lower due to things beyond your control. For example, if WordPress has been updated more recently than the plugin, your Code Check will always show a B. The database check will also include items that are not actually threats, such as any posts you have which include an embedded video or other intentionally inserted “iframe” tags. Click the View Report link to review each item to determine if threats actually exist.



As you can see, securing WordPress is uncomplicated and is worth the effort 100%. The success of this setup is high but does depend on your love and attention, so be sure to keep WordPress up to date and do your plugin research! If you are pretty familiar with WordPress, you may also consider the addition of plugins like WP Plugin Security Check and WP-Malwatch, but both do require you to have a basic understanding of what you are looking at, should anything be detected, to know if it is a false positive or not.

Hopefully this guide will help save you the headache of dealing with an attack on your own site or worse, your client’s website. Have other WordPress security tips that have worked for you? Feel free to share them with a comment!

This is a guest article by Vail Joy who is a long-time writer, designer and copy editor with 15 years of experience in corporate business writing, music journalism and internet media design. When she is not hard at work designing something, she loves writing for, the free website builder.

Original lock image from BigStockPhoto


  1. We will take these important security measures in our installation.
    Thank you for these guide.

    Http:// is an online tool that allows a user to install a wordpress website online in less than 3 minutes.

    Thank you

  2. I have two small questions, do you do 7 and 8 before or after you upload the theme?

    1. Create a separate database with a separate username.
    Because I am going through Go Daddy, I assume I have to call them to set this up, sounds right?

    2) instead of "admin", pick a different word

    3)Delete those two files (once I upload the theme)

    4)use a good theme
    5) use good plug ins

    6) "use Subscriber role" and use Disquus for comments

    7) Install Bullet proof and Secure wordpress BEFORE I install the theme?

    8) Install Ultimate security checker BEFORE I download the theme?

    Thanks I am going to buy Arizone but I want to do it correctly this time.

  3. Why are you worried about the theme? All these steps can be performed irrespective of whatever theme you are using. You can do them either before or after installing a theme. Doesn't matter.

  4. Thanks for this security guide! With wordpress security is always an issue..

  5. Thanks for this setting this up. Just wanted to check-if I've already set up the database as wp_ (didn't know =S) how do I retrospectively change the name?


Popular Posts