WordPress is one of the most popular open source Content Management Systems (CMS) available, with over 25 million users worldwide. The core codebase is extremely secure, but it is all too easy to introduce vulnerabilities into your system.
The first step is to make sure your installation is up-to-date. Check the version number of the current release at: http://wordpress.org/download/ and compare this to the version number reported in your WordPress admin panel. If you are running an older version, update it using the instructions listed at:
Next, it is also important that you keep any third-party plugins updated and make sure that they do not contain any vulnerabilities. Check the plugins pages for updates at: http://wordpress.org/extend/plugins/ and update any if necessary.
You should also read the site reviews of plugins before installing them, to make sure there are no known issues with them. It is also advisable to check for known exploits on external sites such as:
These sites also list known vulnerabilities with specific versions of WordPress.
The WordPress admin area is a particularly attractive target for hackers, as the use of weak passwords can quickly allow access to the entire site. To make things difficult for potential hackers, never use weak passwords! They should ideally be no less than 8 characters long – but preferably between 12-14 – and include upper and lowercase letters, numbers and symbols, with no identifiable dictionary words in them. And never use the default ‘admin’ user set up during installation. Remove it and replace the admin user account with a stronger, more obscure username to help prevent successful brute force login attempts.
Lastly, if possible lock down access to the admin area. You need a static IP address to do this, but this greatly increases security by restricting access to known IP addresses.
Create a .htaccess file within the wp-admin folder – NOT within the blog root, otherwise you will lock out access to the whole site – and add this code to it:
AuthName “WordPress Admin Access Control”
deny from all
# whitelist my IP address
allow from xx.xx.xx.xxx
Note: replace xx.xx.xx.xxx with your actual IP address.
You can whitelist multiple IP addresses, if necessary. Just put each on a separate line, preceded by ‘allow from’. Access to your WordPress admin area will then be locked down to connections from just these approved IP addresses.
If you don’t have a static IP address, you can still add a .htaccess file to create an additional password login in front of the main login page, to add extra layer of security to the admin login area.
These suggestions are just the tip of the iceberg when it comes to security, but should be enough to repel all but the most determined hackers. For further information, check the WordPress support forums at: