Securing or as some have dubbed ‘hardening’ your WordPress is important. Why? Well, it allows you to keep out hackers or if you have guest writers, you can make sure they do not take over your blog and boot you out. Also, it could help you with spammers. If you are reading this article and doing a first-time installation (for a self-hosted blog, meaning you have an account with a webhost and your own domain), make sure that your webhost is up-to-date on things like PHP, MySQL, Apache. If your webhost uses cPanel, then make sure that it is also up-to-date. Most webhosts will update if you ask. The up-to-date concept also extends to your WordPress. If you are not using the most current version, as well as the most current plugin versions for your WordPress site, you could be risking your site’s security. According to Matt Mullenweg during WordCamp Chicago 2009, keeping your WordPress up-to-date is the first and most important thing to do. (paraphrasing)

Here are some steps in creating a more secure WordPress.

1. Make a dynamic password. It is best to not use an easy or common password. Sometimes with numbers and letters (both capital and lowercase) mixed together are great. It is best to write these down in a special ‘book’ of login information. Even if it might be convenient to put something you will remember, there is also those times when you may not feel well and not be able to recall your password.

2. Use level privileges to specify your guest writers. Even if you think they are nice and trustworthy, sometimes the strangest things may occur like some falling out and if you do not set the user level, you will risk the integrity of the blog.

3. Use Askimet to help flush out the spam. Also, in your WordPress settings, you can set IPs to deny, words, and such to filter out spammers.

4. Use your .htaccess file to restrict access to certain areas like wp-admin, wp-content, wp-includes, and single files like wp-config.php.

In order to do this, you can write a new .htaccess file. A lot of times with automatic installers like Fantastico Deluxe, they will generate a htaccess file for you. If you are using permalinks, you will have to keep that information in your htaccess file, so if you go to your WordPress under Manage>Files>.htaccess, you can get the code to retain your permalink structure. However here is a simple one that you can put together. It protects your .htaccess file, your wp-config.php file, your directories, and a little snippet to protect yourself from spammers. Just copy and past the lines into your .htaccess file.

Step 1. Protect Your .htaccess file itself


order allow,deny
deny from all



Step 2. Protect wp-config.php


order allow,deny
deny from all



Step 3. Disable directory browsing

Options All -Indexes


Step 4. Protect from spammers

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]


When you have done this, it is best when implementing anything to test your website to make sure these commands are working properly.

Do you have any extra suggestions that should be added?

Related posts:

1. Canonicalization in Your WordPress Blog
2. Two Ways to Retrieve Your WordPress Password