WordPress Security: Back to Basics


With more than 73 million websites worldwide, WordPress is by far the most popular blogging and content management system there is. That alone is enough to make it a huge target for hackers. But when you consider that about half of those sites are self-hosted, it makes WordPress sites a hacker’s paradise.

While some designers don’t think twice about the security of their WordPress sites and others rely on a variety of plugins to keep hackers away, there are a number of basic steps any WordPress site should employ for better security. Here are 10 of them.

Keep the Core Current

WordPress is known for the superb job it does spotting and patching vulnerabilities. Since it’s estimated that as much as 70% of malware attacks are possible because of outdated software, using WordPress’ one-click update feature is a no-brainer.

Plugins and Themes Need to be Updated too

Even if your core is up to date, you’re still very vulnerable if plugins and themes are outdated. Most of these can be updated with just one click as well.

Trash Plugins and Themes you’re not using

Most designers don’t give a second thought to plugins or themes after they disable them. Trouble is, hackers just might. Just because a theme or plugin is inactive doesn’t make it less of an opening as a point of attack. Case in point is an August 2011 attack targeting the Timthumb script that’s a part of various plugins and premium themes. Even though many sites disabled plugins and themes using it, hackers still just had to scan those sites to locate the script and use it as their entry point.

Name your Default Admin User

If you don’t change the default “admin” username, you’re a hacker’s best friend and have essentially given him 50% of the information he needs to gain access to your site. Replacing it is as simple as creating a new username, giving it administrator status, logging out and then logging back in using that new name. Then you can just delete the “admin” username.

Use a Secure Password and Keep it Safe

Remarkably, on the top of most lists of stolen passwords is “password.”Even more random word-based passwords, however, aren’t safe from hacker tools such as dictionary attacks. Security experts say the safest passwords are at least 8 characters long and include a combination of numbers, keyboard symbols and uppercase and lowercase letters. Complete words shouldn’t be used and never use your username or company name. Don’t share passwords and don’t keep them on your computer (LastPass and KeePass are two popular tools for managing passwords).

Use a Different Table Prefix

While it’s not necessarily a step for beginners, changing the default “wp” prefix for WordPress tables can go a long way toward keeping a site secure since any scripted attack presumes the “wp” prefix is used. Changing the prefix for a fresh install of WordPress is as simple as editing the wp_config.php file before installing and changing the value in the line“$table_prefix = ‘wp_’;” to any other value than “wp”.

For existing sites, you’ll need to open the database with phpMyAdmin. Select a table and nextselect “Operations” at the top right of the ensuing window. Go to the“Rename table to” field and change the “wp” prefix there. You’ll need to change each table this way, being sure to use the same prefix in each one. After that’s finished, edit the wp_config.php as described.

Delete Version Information

By adding a simple line of code to the functions.php file, you can keep information identifying the WordPress version and author from being included in the source code of pages. That information gives hackers needed information and can help them identify sites using vulnerable versions of WordPress. Just open the site’s functions.php file and add “remove_action(‘wp_head’, ‘wp_generator’) ;”.

Trust Your Plugins

Plugins that are poorly coded can leave the doors to a website wide open for attack. Instead of just grabbing the first plugin that does the job, do a little research and read the reviews. And remember, don’t just disable, but discard the plugins you no longer use.

Use a Trusted Host

Good security begins with a secure host, so make sure yours is proactive about security concerns and has a record of successfully addressing them. Again, do your research. Ask a potential host what security measures they use and make sure they have a history of keeping their servers updated.

Don’t Forget your Computer’s Security

Security really begins at home, so be sure your computer’s software and OS are current, installing all security patches and updates when issued. Be sure firewalls are ¬used and working and invest in a good anti-virus program.

This guest post is written by Eric Nacul, a tech enthusiast who enjoys writing freeware reviews at BestFreeOnline.


  • July 24, 2012


    WordPress Security: Back to Basics | Concept Dezain…

    With more than 73 million websites worldwide, WordPress is by far the most popular blogging and content management system there is. That alone is enough to make it a huge target for hackers. But when you consider that about half of those sites are self…

  • […] WordPress Security: Back to Basics […]

  • July 26, 2012

    Bastian Bleker

    If you change the Table Prefix you need to change a few other database values before your site works again:

    In wp_options change the value
    to newPrefix_user_roles

    and in wp_usermeta you have to replace the prefix in every



  • July 26, 2012

    Franco Averta

    You are right @Bastian, thanks for clarifying this

  • […] 1,079 Blog Entries1 WordPress Security: Back to Basics | Concept Dezain […]

Leave a Reply