How to harden your WordPress installation


This article details how to harden your WordPress installation. If your WordPress site has been hacked, please view the following article first:

There are a few common steps you can take to harden your WordPress installation right away. The chart below lists some basic precautions:

Stuff to look out for Details
Secure connections
Keeping software up to date
Removing old software
  • Delete unused plugins and themes
  • Deleting any other unused apps under your user
Checking logs and files
Keep backups
  • Continually backup your site

This article describes some of the above in further detail.

Add a named WordPress admin user

Make sure your admin user is not named admin.

If your admin user is named ‘admin’, create a new user with some other name and give it admin privileges. After you have confirmed that this account works, log in as this account and return to the left-hand users tab and delete the account user named ‘admin’.

This is very important as ‘admin’ is the most commonly attacked username. View the following article for further information:

Use the HTTPS protocol for your site

To prevent your password from being transmitted in the clear, you must add an SSL certificate to your site. This enables you to connect using an encrypted and secure connection. View the following article for details on how to use an SSL certificate with WordPress.

Removing old software

Even if a plugin or theme is inactive, it could still pose a security risk. If you're not using a theme or plugin, make sure to delete it from your web server. Plugins and themes are located in the following directory. Make sure to change the username to your Shell user.


Inside of that /wp-content folder, navigate into the /plugins or /themes directory and delete any that you do not use.

The same goes for extra installs of WordPress. For example, it's possible that a test site was created under Or maybe you had an old site but no longer use it. In any case, if you have another WordPress install that you're not using, delete it.

Finally, if you have any other applications such as Joomla, Drupal, or Moodle installed under your user that you're not using, make sure to remove those as well.

The bottom line is that if you're not using the software installed under your user, it's best to remove it. Only keep what you need.

Protect your site with an .htaccess file

You can use an .htaccess file to further protect your site. For example, the wp-config.php should never be publicly accessible. To protect this file, add the following to an .htaccess file in your site's directory where all other WordPress files are located:

<Files wp-config.php>
order allow,deny
deny from all

There are several other things you can do with an .htaccess file to protect your site. View the following article for details:

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?