Hardening Your WordPress Install

Recently I installed a very useful plugin on most of my WordPress sites called Wordfence.  Wordfence offers both a free and a paid version.  The free version is quite robust, although the paid version does unlock a number of useful features.  Both the free and the paid version do a nice job at blocking the most common types of hacking attempts and, if you wish, the plugin will email you when someone tries to penetrate your site.

The Wordfence emails are interesting in that they reveal what hackers are trying to do.  In my case, I previously maintained dozens of WordPress installs on the same IP address (not a good idea, and I have fixed this).  There are numerous tools out there that anyone can use to identify all web sites – WordPress or otherwise – on any IP address, so if you own or manage multiple sites and use the same login name and password, once one site is penetrated, they could all be at risk.

In my case, most of the hackers attacking my sites are from Eastern Europe – Russia, Latvia, Belarus, Ukraine.  Some are from China and the far east, and a few from Latin America.  The paid version of Wordfence allows you to block access to your site by country.  So, for example, I can block all but United States visitors.

The hackers use computer programs to “brute force” attack your site.  Some of the assumptions they use for the brute force attack are:

  • assume a user name of “admin” – then I suspect they attempt to login with simple passwords.   You can help yourself a lot by (1) not using “admin” as your login name, and (2) not using a simple password like “password” or “1234” or your last name as the password.
  • they attempt to exploit certain plugins, which presumably are not entirely secure.  For example, in a recent attack, the hackers attempted to execute a command in several plugins including wp-mailinglist, 1-flash-gallery, zingiri-web-shop, wp-property.
  • they attempt to exploit certain themes, which presumably are not entirely secure.  For example, in a recent attack, the hackers attempted to execute a command the admin directory of a theme called “OptimizePress” and one called “Clockstone.”
  • they rotate IP addresses for their attacks using a proxy.  This means that the attacks appear to be coming from unique IP addresses, although they are, in fact, coming from the same place.

Note that I do note use or have installed any of these plugins or themes.  Perhaps they are popular and frequently used and/or perhaps they contain some sloppy code.

Wordfence allows you to block or throttle login attempts and even access attempts for selected time periods, which can help.  I suspect that the automated programs used by the  hackers are designed to attempt a penetration for a certain period of time and if they do not get through, they move on to another server, looking for a more vulnerable site.   Presumably a really determined hacker could get past my defenses but if I can eliminate the other 99%, I am ahead of the game.

Aside from Wordfence, here are some other suggestions:

  • install a plugin called HC Custom WP-Admin URL.   This plugin allows you to change the standard wp-login.php and wp-admin.php file names to something else such as “banana” or “Dallas79-84”.   For example, www.your-site.com/wp-login.php will results in a 404 not found page, but www.your-site.com/banana or www.yoursite.com/Dallas79-84 would serve as your login page.
  • install a plugin called Better WP Security.  This plugin includes the features of HC Custom WP-Admin URL above and adds additional security features, including an option to change the prefix of your database table from the default “wp_.”  1  If you use this plugin you do not need HC Custom WP-Admin URL.
  • if you have FTP access to your site, move your wp-config.php file to the root directory of your site (do not leave it in the public_html location).  WP-config contains the name and passwords to the database that supports WordPress.
  • if you are comfortable tweaking code, here’s an article that contains several code based suggestions.

Finally, make sure to backup everything prior to making any significant changes.  I use BackupBuddy although there are several other solutions.  Let me also suggest that you test your backup program by running a backup and “moving” your site to a different domain so you will know how the backup process works.


  1. If you install WordPress from your cPanel host using Softalicious, you have the option of choosing a database prefix other than wp_, which you should.

0 comments… add one

Leave a Comment