Securing your WordPress site is a very important step that many people don’t think about doing until you are hacked. This is not ment to be a complete list of steps to take, but it will help in securing your website. DISCLAIMER: This is meant to be a starting point for you, and your success with these steps depends on factors beyond my control. I take no responsibility for anything that can go wrong (and there are things that can go wrong) YMMV.

Step 1: Backup your WordPress site

There are a number of plugins available for doing this for you.One is wp-db-backup. you can also follow these instructions from Backing up is an important step because if something goes wrong, you want to be able to restore to a known good point. BackUpWordPress will go one step further and back up your database and files, which is even better.

Step 2: Change the permission of wp-config.php

I recommend that you at least change the permissions of this.file to 600 using chmod.

Step 3: Keep you WordPress install up to date.

Very Vary Vary Important!. This is also where step 1 comes into play. I like to manually update my WordPress install and I backup my database and WordPress files before I update.

Step 4: Keep your plugins up to date

Make sure to keep all your plugins up to date so that you would have any of the latest security patches the pulgin author might have added.

step 5 Security plugins

I recommend three:

  • Wordfence Security
  • Timthumb Vulnerability Scanner
  • TriagisĀ® Security Evaluation.

I will tell you ahead of time, I do not use all the features of all of these plugins.

Wordfence Security will scan your site for vulnerabilities. I was very impress by this plugin.

Timthumb Vulnerability Scanner will scan your file structure for timthumb.php and if found will help you make sure you have a secure version.

TriagisĀ® Security Evaluation will help you check file permissions, rename your database prefix (wp_ is the default and if you leave it this way you open yourself up to sql vulnerabilities).

Step 6 : Move your wp-config.php

If your somewhat technical and can log in with FTP, it is recommended that you move the wp-config.php file up one level in your directory structure. WordPress with automatically look one directory up for the file. This file contains important information about your wordpress install like the database prefix as well as the DB credentials and some security keys.

Step 7: Add these lines to your .htaccess file

If you were unable to do step 6, for whatever reason, (for example, that directory might also be web accessible through a different domain name, then you should be able to do step 7.

Log into your site with your favorite FTP program, and add the following likes AFTER # END WordPress

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

by adding them after # END WordPress you won’t have to worry about WordPress overwriting them at some point


I hope these suggestions help and if these steps are over your head, then seek some professional help in securing your site.