We have been addressing securing a WordPress installation from many angles. Our goal is to cut off as many possibilities as possible for hackers to gain access to your sites files.

Conceal WordPress Version

Hackers will try to glean any information that is displayed anywhere on your site to discover some weakness. That includes the version of your WordPress itself. Believe it or not, this can give the hacker plenty of information about how to go about hitting your site. So you had best conceal it. You can use a plugin to achieve the complete removal or you could do it by hand in the functions.php of your theme:

functioncomplete_version_removal() {



add_filter('the_generator', 'complete_version_removal');

Enforce SSL Login

Prevent the dreaded man-in-the-middle attacks by enforcing SSL communication either for logins only or for the entire admin area as well. To accomplish this you will have to have a dedicated IP for your domain and an SSL certificate set up on it. If you create a self-signed certificate your visitors will receive a warning from their browsers that the certificate was not issued by a recognized authority and that it may not represent a trustworthy connection. You must judge whether this will offend your visitors or if you will have to cave in and buy an SSL certificate.

Once the dedicated IP is assigned, the DNS propagation has run its course, and you have SSL installed, place this in your wp-config.php file:

define('FORCE_SSL_LOGIN', true);

define('FORCE_SSL_ADMIN', true);

Control Bots and Crawlers On Directories

Google and other bots crawl your entire site unless you tell it to avoid certain areas. If Google indexes all of your directories then it reveals these to hackers all over the world through Google's search engine. So you could put in directions in a robot.txt file to tell the bots what to avoid indexing. The biggest drawback with this is that a hacker can also read the robot.txt and learn which directories are most important to you and, therefore, most product for hacking. If you have a standard WordPress installation, then this is nothing to worry about. Hackers will know by default which directories are most important to attack. You must employ all the other methods we have already given in all parts of this series.

In the root of your site, you should put a robot.txt file there, if one does not already exist. Inside you should add:

User-agnet: *

Disallow: /feed/

Disallow: /trackback/

Disallow: /wp-admin/

Disallow: /wp-content/

Disallow: /wp-includes/

Disallow: /xmlrpc.php

Disallow: /wp-

More .htaccess Seecurity

There are a few more steps to securing your site through the .htaccess file in your root. This is the same file we modified to secure wp-config.php. Now we will protect .htaccess itself, which is typically done by Apache's config by default. We want to make sure it is enforced, so we add it here. Also we will turn off the server's signature and place a limitation of 20M on the size of files that can be uploaded.

<files .htaccess>

order allow,deny

deny from all


ServerSignature Off

LimitRequestBody 20480000

Eliminate Unnecessary Files

Prune your WordPress installation by hand, deleting all unnecessary files. These permit fingerprinting and sometimes reveal version info. It is best to eradicate them completely. Almost everything comes with a readme.txt or readme.html. WordPress does and all plugins and themes do as well. Just go through and delete these. It will plug up a security hole.

The Final Word

With this step we have gotten all of the basic and intermediate methods for securing a WordPress site completed. Our next entry in this series is an advanced article. Now you can consider your WordPress ready for e-commerce. However, if you want to make sure that hackers are stopped from more advanced hacking techniques, then continue to the next article installation in this series. Finish the job off and rest at night.