Designers love colours, and are therefore discouraged by the monotony of the terminal window and words like "security".  But let's face it, you're probably going to need this at some point.  So, today let's look at WordPress security.

Security & WordPress

WordPress is a great platform, and they take security seriously.  Chances of hacking in a tightened WP security environment are low, but there are chances. The less we pay attention to some basic security issues, the greater the risk. As your wordpress site grows, the chances of some hacker nube testing their skills on some weak WP setup are greater.  So let's make them work for it.

Before you start don't forget to backup your site.

Easy Stuff

Let's start with the easy stuff.  Take some basic precautions when installing WordPress for the first time and feel better. And if you didn't backup your site (database and files) like I mentioned above because you skipped straight to "easy stuff" then do it now.


You know this file.  Make sure you do the following:

1. Keys & Salts

First things first, change these:

define('AUTH_KEY',         ',YbH2+xwp^ag%dk+(5Qq0<|IQ2lATWvn~.%|@WcZT{C?/=-0M}drUbt0M~p}?:=Q');
define('SECURE_AUTH_KEY',  'c^g_XREIAL~rB#JBNkBAWUean>f$Yzh[.A}lSK]]T:C%9{rAc-!|H3]q-k/6{&GI');
define('LOGGED_IN_KEY',    'xG+x/`g ]|nwcT^+f@[OZ8C%U/ZeF}/|Jl2 `:/=dy^|+s^_mo%9(KFrCg:Tq`?[');
define('NONCE_KEY',        ' [@_DS<e_]FK3~tp{@O1-|b-t(Pyh<mC1~mId+*s]E!)^W+9-:Tk>cn@5eQ0p*>J');
define('AUTH_SALT',        '#&F~7V?uUcUh v5[tZK o]YF%w|-DSk*Vg-r~?CwUgl:U/`dJA~}@:UU+z>{/{a1');
define('SECURE_AUTH_SALT', '?)smZ_x^k7*OAeA4i-*1.1}j7mQC9K;yk;0z)#<E|+fzcg*!] 2h~H9W2AZU$JI<');
define('LOGGED_IN_SALT',   '(1V/9X[x|;z_#p,`kKvcp>m7> Y;,tcea*&7B`ubHi,#_4w@tP1mX9#GA?V:1FIX');
define('NONCE_SALT',       '#Mgz<<H|f:[`peGISw2C{90O*ObMg}^Kt,#{hY*)V4LCJTB1F)w<RaOi8B|8pM^-');

This is as simple as copying and pasting. Open your wp-config file right now and change the keys & salts by following this link and replacing yours with the ones from this page:

Change your wordpress keys and salts

2. Table Prefix

Leaving the wp table prefix as "wp_" is like telling burglars which number house you live in:  Change it to something unique. You're looking for this line:

$table_prefix  = 'wp_';  // Change the wp_

And if you are changing this after the database has already been installed and the tables labelled wp_, don't forget to change the names of your database tables. This is no fun, btw, but it has to be done if you are serious about security.  Here is a link to a great tutorial showing the steps:

How to Change the WordPress Database Prefix to Improve Security

3. DB Password

I hope you are using a decent password for your database connection.  If your database connection looks like this:

define('DB_PASSWORD', 'hackme');

You're asking for trouble.  Use this strong password generator and use a decent password.  It should look at least something like this: 53FPD27&*mq1eR.  The more it looks like swearing in Asterix comics, the better.

4. FTP Password

If you put the FTP data also in your wp-config file (so you don't have to enter it each time your upgrade a plugin) then also use the strong password generator mentioned above.  If you're opening the wp-config for the first time that someone else made, you're looking for this line:

define('FTP_PASS', '5hEDS4!<1=2[07');

If possible you should also use SFTP (secure ftp) and optionally can use this setting:

define('FTP_SSL', true);

5. Close down admin editing

Some editing can be done via the WP Admin panel: I believe this is rarely used, and it is advisable to lock this down for extra security.

Add this line to your wp-config.php

define('DISALLOW_FILE_EDIT', true);

Trickier Stuff

The above is fairly straightforward, but it's not everything.  Designers usually have had enough fiddling with the above code, but now we need to get into the Terminal and UNIX commands to make sure our installation is water-tight (unfortunately, it will never be airtight).


The ultimate tool for tightening security is the Terminal window.  Not a designer's favourite environment.  But, the commands are generally available online so it's mostly a copy paste thing.  Try not to worry.  Try to look at it as a minimal UI experience.  Imagine you are Neo in the Matrix (before all the fun starts).

File Permissions

Mainly, for tightening, we are talking about access to files - File Permissions - which is essentially about controlling access to make changes to files.  In unix speak we use CHMOD.  I'm not going to go into details here, I'll just paste the commands to use.

Check your Basic File Permission Settings

Generally, WordPress likes two sets of settings:  One for directories (0755), and one for files (0644).   Those codes basically restrict the level of access to files by user groups.  777 being a file open to everyone to read, write and execute, and 644 being restricted more to server users:  The higher the number, the less secure the file (more or less).  The important point being that you shouldn't really have any files or directories with their doors wide open (777).

Check your current file permissions by opening Terminal and accessing your server via the shell (SSH) command;  Generally it works like this:

1. Access Server


You'll need to get this information from your provider.  Sometimes you can use an FTP program also to check these, but it's not as quick.

2. List Files

Once you get into your server, find your wordpress root folder (where wordpress is installed) and run this command:

ls -la

You will see a list of files and directories in a row, with lines something like this:

-rwxrw-r--  1 root           root      236 Aug 31  2012 .htaccess

You need to make sure that no files start with -rwxrwxrwx.  That means anybody can read, write and execute that file.  You're asking for trouble.

3. Change permissions

If you see a fully open directory (like wp-content, wp-includes etc.) try to reset the permissions with this command ( replacing DIR with the directory name ):

chmod 755 DIR

And where you see files which are fully accessible, use this (where FILE is the filename):

chmod 0644 FILE

To save time you can use this command from your wordpress install root directory and it will CHMOD 0644 every file.

find -type f -exec chmod 644 {} \;

Test your site, and if you then experience some issues, try relaxing to 775 for directories and 664 for files.  Generally you won't have problems with files, but you may have access issues for directories, because themes and plugins often need writeable access to them.

If all else fails you can use 777.  But it's best to limit this as much as possible, to as few places as possible.  Most likely you find the wp-content/uploads folder requires the most open settings.

For a good overview and explanation of these settings see WordPress own very good guide:

Changing file permissions for WordPress

NB: Be absolutely sure your wp-config.php file has 0644 permissions.

Further Lockdown Measures

Generally this is fine security for most people.  But if you really want to, we can take things one step further.

Secure wp-includes

We can secure the wp-includes folder by changing the .htaccess file.  You will need to edit the .htaccess file and insert this code above the #begin wordpress line.

nano .htaccess

Insert the test below and save.

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Protect wp-config

Editing the .htaccess file again and add these lines to the top, to wrap the config file with an extra security blanket:

<files wp-config.php>
order allow,deny
deny from all

These two resources are taken from the Hardening WordPress article.

Good WordPress Security Plugins

Here are some recommended security plugins:

WordPress File Monitor Plus

Secure WordPress

Ultimate Security Checker

These plugins, and other security items mentioned in this post, were suggested by this blog.

Been hacked already and that's why you're here?

Chances are you are on this post because you've already been hacked. Possibly you will be "benignly" hacked and have not lost major data or access, but be irritated by a hacker screen. This is not uncommon. This post is not exhaustive on de-hacking your site, but for the above types of hacker attacks you will definitely go through these steps:

Make immediate repairs

Remove the inserted hacker files - probably index.php/html, some images etc.

Identify Backdoors

Find the hacker backdoor that leaves you vulnerable: See Otto on removing hacker backdoors

Change Passwords

Change your DB, FTP and WP passwords.

Security Lockdown

Follow the steps mentioned in this post and google for more if you are crazy about security.

Stay Updated

Generally, for good security, remember to regularly update your plugins and WP version.