Skip to end of metadata
Go to start of metadata

Wordpress is the world's most popular CMS, which unfortunately also means it's the world's most-attacked CMS.  If you're running Wordpress for your site, you should be familiar with common techniques and best practices for securing the platform.

The Basics

Secure the Server

It should go without saying that Wordpress is only as secure as the server it runs on.  Make sure you secure your operating system: choose good passwords, limit access to SSH keys, update the OS regularly, and watch your logs.  You can find more in Hosterlabs' Linux Guides.

Strong Passwords

You don't want to put steel bars on your front door while leaving a window open.  All the security wizardry in the world is useless if you pick "12345" as your admin password.  Use strong passwords that have a mix of uppercase/lowercase/numbers/special characters and are 12 or more characters long.

Backup Your Site

Although not technically "securing Wordpress," you should always have backups of your site so that if there is a problem, you can easily revert to a known-good state.  Do not rely on the possibility of cleaning a compromised site.  Best practice is to wipe and restore, and to do that, you must have regular and current backups.


Select Good Plugins

Out-of-the-box Wordpress is well-tested, but of course the power of Wordpress is the ability to extend its capabilities with plugins.  When evaluating a plugin's functionality, also consider its security.  Some things to look for:

  1. A large install base.  More eyeballs and deployments means more scrutiny and testing.
  2. Solid reviews.
  3. Actively supported.  Many plugins are developed and abandoned.  If there's been no update for months/years, see if a more actively-developed plugin would meet your needs.

When in doubt, search for the plugin's name or ask for opinions on web-oriented forums.

Remove Unused Plugins

Even if you're not using a plugin, any security problems will lay there dormant, waiting for future exploits to be discovered.  Remove any plugins you're not using.

Keep Things Updated

The Wordpress base software, themes, and plugins are often updated to fix security issues.  One version 2.1 is out and the issues in 2.0 are known, hackers will search for sites still running the old version.  Make sure to keep your site up-to-date.

Limiting Access

Changing the Default Admin Account

There's no reason your Wordpress 'admin' account must be called 'admin'.  It's safer if it isn't.  To change, following these steps:

  1. Login as 'admin'
  2. Add a new user and set the role to 'Administrator'
  3. Logout and then login as this new user
  4. Delete the 'admin' user

Now hackers cannot login as 'admin' but must also know the name of your Administrator-privileged account.

Limiting Access to wp-admin by IP

There is no reason that 4 billion+ IP addresses need access to your wp-admin area.  You can limit it to specific whitelisted IPs.  Here's how to accomplish this with nginx:

1. Under the 'server' block for your server, add this line:

location = /wp-admin/ {
include snippets/whitelist.conf;
# depending on your config, you may need these lines
# as well, which you can probably copy from other
# location directives:
include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php7.3-fpm.sock;

2. Now create a file called /etc/nginx/snippets/whitelist.conf and populate it as follows.  Here I will use '' as an example IP to whitelist:

allow;  # my home IP
deny all;

3. Restart nginx:

systemctl restart nginx

Now only clients originating from IP will be allowed to access wp-admin.  If you are the only person modifying the site (e.g., if you're using Wordpress as a CMS and not allowing comments), you may wish to add a similar location block for /wp-login.php.

Note: If you whitelist your home IP and your ISP uses DHCP that periodically changes the IP, you may need to periodically change this configuration.  However, you shouldn't lock yourself out, because the changes are made at the SSH level.

Use Two-Factor Authentication

Two-factor authentication prevents someone from logging into your site even if they know your password.  They would additionally need your 2FA application.

Here is how to add 2FA to Wordpress using Google Authenticator:

  1. Download the Google Authenticator app for either iOS or Android from the platform's app store.
  2. Add a 2FA plugin to Wordpress, such as miniOrange's Google Authenticator plugin
  3. Open "miniOrange 2-Factor" from the menu and setup authentication for your account.
  4. Open the Google Authenticator app, tap the plus symbol to add an account, and scan the QR code that miniOrange presents.
  5. Verify the code on the miniOrange plugin page.

Now when you login, you'll be required to enter your password and the Google Authenticator Code.

More on Security

If your site is high-profile, you may wish to install a more advanced active security system.  Some examples of software to consider:

- A core file integrify scanner that checks Wordpress's software to make sure it has not been modified.  Sucuri's Wordpress Plugin is an excellent tool for this purpose.  

- A Web Application Firewall that can perform real-time blocking of brute force (password guessing) attacks, limit access based on country, and report on malware issues.  Wordfence is an excellent product and is available in both a free version and a more expansive paid-for version.  The power of Wordfence is that they see millions of sites and once an attack or vulnerability is detected in their network, they can notify all users of the issue, so you benefit from their global analysis.


Sucuri publishes an excellent guide on Wordpress security.

  • No labels
Write a comment…