How to harden your WordPress installation


This article details how to harden your WordPress installation. If your WordPress site has been hacked, please view the following article first:

There are a few common steps you can take to harden your WordPress installation right away. The chart below lists some basic precautions:

Stuff to look out for Details
Secure connections
Keeping software up to date
  • Keep your plugins, themes, and WordPress version up to date
Removing old software
  • Delete unused plugins and themes
  • Deleting any other unused apps under your user.
Checking logs and files
  • Checking your access and error logs for unusual behavior
  • Checking permissions on folders and files
Keep backups

This article describes each of the above in further detail.

Use strong passwords

One of the most important steps you can take is to always use strong passwords for all of your user logins. These include:

  • Website user. This is the user you use to log into your server via FTP, SFTP, or SSH.
  • MySQL user. This is the user that has access to your database.
  • WordPress user. This is the username you use to log into your WordPress site.

For more information about creating secure passwords, view the following article:

Use different usernames

A secure password is a good start. It's also a good idea to use different usernames for your logins. For example, your SFTP username should be different from your MySQL database username which should be different from your WordPress username.

Additionally, it's also a good idea to only host your WordPress site under a specific/unique username. In your panel, you can assign a single username to as many domains as you like. View the following article for details:

However, if that user is compromised, all sites under that user are then vulnerable. So, it's recommended to create a new SFTP user and assign that user only to your specific WordPress site.

If you then create a new site, create a new user. This will ensure all data is separated on the web server.

Add a named WordPress admin user

Make sure your admin user is not named admin.

If your admin user is named ‘admin’, create a new user with some other name and give it admin privileges. After you have confirmed that this account works, log in as this account and return to the left-hand users tab and delete the account user named ‘admin’.

This is very important as ‘admin’ is the most commonly attacked username. View the following article for further information:

Use the HTTPS protocol for your site

When you originally create a website, connections to the site are done using the HTTP protocol which is unencrypted. This means that if you're logging into your WordPress site using HTTP://, your password is sent in plain text. This is also the case if you're logging into your database via phpMyAdmin.

To prevent your password from being transmitted in the clear, it's recommended you add an SSL certificate to your site. This adds an SSL certificate that enables you to connect using HTTPS (note the s at the end). When you connect using HTTPS, your connection is encrypted and safe from anyone snooping on your network.

View the following article for details on how to use an SSL certificate with WordPress.

Use SFTP or SSH to connect to your server

You must connect to your web server from time to time to make adjustments to your site or troubleshoot an issue. There are a few ways to connect.

Unencrypted options (Not Recommended)

  • FTP - You can use any FTP client to connect to your server over port #21. This is unencrypted so all information is sent in plain text for anyone to see.

Encrypted options (Recommended)

  • SFTP - Most clients that support FTP also support SFTP over port #22. This is a secure way to connect to your server and is always recommended.
  • SSH - This is a way to connect to your server using a terminal program such as PuTTY for Windows.
  • File Manager - This client is available from within the DreamHost panel.

Whenever possible, always use an encrypted connection such as SFTP or SSH to connect to your server.

Keep software up to date

It's very important to continually update your software. Updates to software is often done to resolve security issues. The more up-to-date your software is, the less vulnerable it is. This means keeping your WordPress version, plugins, and themes up to date.

Updating your WordPress version

Updating plugins

One of the quickest ways to destroy your credibility as a WordPress blog is to have tons of spam in the comment areas. The easy way to solve this is with an anti-spam plugin such as the following:

View the following guide from WordPress for further information:

Updating themes

Removing old software

Even if a plugin or theme is inactive, it could still pose a security risk. If you're not using a theme or plugin, make sure to delete it from your web server. Plugins and themes are located in the following directory. Make sure to change username to your Shell user.


Inside of that /wp-content folder, navigate into the /plugins or /themes directory and delete any that you do not use.

The same goes for extra installs of WordPress. For example, it's possible that a test site was created under Or maybe you had an old site but no longer use it. In any case, if you have another WordPress install that you're not using, delete it.

Finally, if you have any other applications such as Joomla, Drupal, or Moodle installed under your user that you're not using, make sure to remove those as well.

The bottom line is that if you're not using the software installed under your user, it's best to remove it. Only keep what you need.

Checking logs and files

If you suspect any unusual behavior, it's a good idea to check your access.log and error.log files. View the following article for details:

Make sure to also check your folder permissions:

Keep ongoing backups

With any website, it's always important to continually back up your data. This means backing up both your website files as well as any databases. View the following article for details:

A more advanced option is to use a version control system such as Subversion or git. However, for the majority of users, a normal backup is enough.

Protect your site with an .htaccess file

You can use an .htaccess file to further protect your site. For example, the wp-config.php should never be publicly accessible. To protect this file, add the following to an .htaccess file in your site's directory where all other WordPress files are located:

<Files wp-config.php>
order allow,deny
deny from all

There are several other things you can do with an .htaccess file to protect your site. View the following article for details:

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?