Securing your wordpress installation

Securing your wordpress installation:

We all know how easy it is to setup a WordPress site, well unfortunately if you don’t take safety measures it will be easy to hack it too, so here are a few steps to help you secure your site.

First, let’s make sure to have a backup of your data base and files before making any changes, backing up if always a good practice.

I recommend that after making any changes to your site you should to test everything to ensure nothing broke before moving on to the next step.

Things to do to your wordpress installation:

  • Install and use some security plugins, like Better WP Security Plugin or Wordfence Security plugin.
  • Do not use the default database table prefix of “wp_”, change it to something random. This is harder to do when you have a site running but not impossible.
  • Edit your wp-config.php file and change the wordpress keys. Tip is to use the WordPress Key Generator.
  • Do not use the default login name og “admin”, change it to something random.
  • Use secure passwords. Combine upper/lowe case, numbers and special characters
  • Always update your WordPress installation as soon as possible, the same goes for plugins and themes.
  • And keep the amount of plugins to a minimum. If it’s not in use, remove it.

If using Apache, which is the most common web server:

  • use .htaccess to ass an IP restriction to your wp-admin directory
  • or add a password to access the wp-admin directory

If you’re using nginx then here are some recommendations:

I haven’t tested this yet so make sure you backup, then backup once again, test, and then test once again before going live.

Add this to your nginx config file but make sure to go through it before, as some things may need to be changed to work with your site settings:


if ( $request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;

location ~ /(.|wp-config.php|readme.html) {

return 444;

location ~ ^/(\d+)/$ {
return 301 /?p=$1;

location = /wp-login.php {
auth_basic “Restricted”;
auth_basic_user_file /etc/nginx/htpasswd;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+.php)(/.+)$;


Hopefully these few tips will help your site become more secure. I know there are many more tips that will help secure your site out there so don’t think this is it, do some more research as hackers don’t rest.