WordPress Hardening 101



WordPress Security
With the recent public exploit of W3 Total Cache and the release of WordPress 3.5, it’s high time to tighten up security across the board on your WordPress blog. Here are a few things you can do to clean things up.

File Permissions

Perhaps one of the most important things you can do is clean up your file permissions. A lot of modification, use, and upgrading can cause your permissions to go askew. Here are two simple commands you can issue from the linux prompt which quickly and easily fix up file permissions recursively:

find /var/www/wordpress-root-directory/ -type d -exec chmod 755 {} ;

This changes all of your directories to 755, which is what WordPress recommends. Next:

find /var/www/wordpress-root-directory/ -type f -exec chmod 644 {} ;

This changes all of your files to 644, which is also what WordPress recommends. Lastly:

chmod 440 wp-config.php

Issue this command on wp-config.php to ensure that it’s only readable and writable by you and the web server.


Make sure to update ALL of the items that can be updated. This includes the WordPress core, all plugins, and all themes (even the ones you’re not using). This helps to ensure that all known security patches have been applied. Even unused theme files can supply the needed security holes that hackers take advantage of.

Remove Unnecessary Items

If you have unneeded themes or plugins, remove them. It’s just extra overhead, and provides more gateways for exploitation. Also, any scripts, files, or other things that aren’t needed for WordPress should be removed unless they’re needed for some other necessary function.

Change Passwords

Go ahead and change ALL of your passwords – FTP, WordPress, cPanel, etc. Any account related to your WordPress install can provide an attacker with a gateway to your site. Use the obvious password length and character rules here – it’s incredibly easy to use a computer program to guess every word in the dictionary against your site, so use non-dictionary terms in combination with symbols and numbers.

Disallow File Editing

Add the following to your wp-config.php file to remove the file editors from the wp-admin area. These features are terrible file editors and can lead to exploitation if left active.

[code language=”php”]define( ‘DISALLOW_FILE_EDIT’, true );[/code]

In my opinion, the file editors have little practical use and should be disabled in all production environments.

Change Default Salts

Go to this link to generate custom salts for your site if you haven’t done so yet. These keys should be updated in wp-config.php.


You are creating a regular backup and storing it off-site, right? No? Well get started. Most hosts provide a convenient way of doing this. If not, try a search for “backup wordpress” and you’ll find tons of literature on the subject. Believe me, nothing sucks worse than getting hacked or having a server crash, and not having a backup. It’s catastrophic to lose all of your hard work. Here’s how to create a full backup from the bash prompt under linux.

Navigate to your document root. This is usually the directory directly below your WordPress directory. Issue the following command:

tar czf filesystem-backup.tar.gz httpdocs

Depending upon the size of your site, this could take a few moments or it could be instant. It will create a compressed archive called “filesystem-backup.tar.gz” containing all of your site’s files. Copy this archive file and store offsite. Next, you will want to backup your database. Hopefully your host has the mysqldump utility installed. Just issue the following command tailored to your environment:

mysqldump [-h dbserver] -u [dbuser] -p[dbpass] [dbname] > database-backup.sql

The “-h dbserver” part only needs to be used if you have an external database server (non-localhost). Also, remember there should not be a space between the “-p” switch and the actual password. Copy “database-backup.sql” along with the filesystem archive and you have everything needed to restore all aspects of your WordPress site!

In Summary

Most of these items need to be done at regular intervals to minimize your chance of compromise. My biggest recommendation is to keep everything updated. Any major security issues should be addressed promptly by the WordPress core team, plugin developers, or your theme’s author. This is by no means a definitive guide on WordPress security – Tweet me @CodeNinjaRich if you need guidance, advice, or consulting services. Good luck!

Leave a Reply