Securing WordPress – A basic guide

If you have a self-hosted wordpress site you’ve probably read a few things about how insecure the platform can be – however if you follow a few standard procedures when you install wordpress you can limit the vulnerabilities that someone may be able to exploit. I’ll cover some of these below – some are very simply, others take a little bit more time.

Update or Remove Plugins

If you’ve got plugins you no longer use de-activate and delete them. Leaving a plugin installed even if it is not in use can open you up to vulnerabilities.

If you’ve got plugins that are out of date, update them. More often then not updates includes patches to security issues. Later on in this post I have a screenshot of WPScan that will show you some things to look out for in your plugins directories.

CHMOD and/or move your wp-config.php file

By default when you install wordpress it uses a file called wp-config.php to configure the link between wordpress and a database. This file is normally stored in the root directory of the wordpress install – meaning its publicly accessible by going to most web servers will return a blank page for PHP files, but some misconfigured servers will spit this file out in plain text….

There are two ways to resolve issue – the first is by leaving the file where it is but changing the permissions on the file – you can do this if you have a file manager very easily. You just need to find wp-config.php then right click and go to file permissions and change them then click change permissions. If you’ve got world ticked here thats a big issue that you should fix right now – although if you tested if this file was accessible using the URL example above with one of your own sites, it means that world permissions were already set.

Screen Shot 2016-06-02 at 7.52.26 AM

The second way and more solid method of dealing with this issue is to move the wp-config.php to a non-public accessible directory if your web host allows it – then in the original config file link back to it. That way  you are basically using a dummy config file that links back to the actual file but in a directory that is not accessible from the web. There is more detail on this here should you wish to do this. Please be sure to change permissions on this file as well.

Delete readme.html

WordPress also adds a file to its root directory when it is installed or updated called readme.html – although not as harmful as having a public accessible config file this file shows the exact version of wordpress you are running which could be used by someone to figure out what vulnerability they may use to attack your site. You can simply delete this file without causing any issues to your site.

Update wordpress itself

WordPress release updates frequently that contain security updates – for some reason a lot of people don’t do these as they think it may break themes or some other content on their site – although this is true in some circumstances it is an incredibly poor practice security wise – you should ALWAYS update your installation to the latest version as it becomes available.

Update your theme or remove old themes

If theme updates are available the same thing generally applies – most of the time they contain security updates and should be updated. If you’ve got old themes you no longer need – delete them as they can still expose you to attacks even if they are not active.

Use Complex Passwords and Change the Username from Admin

By default wordpress normally installs with an admin user – its best to change this to something else and set a complex password. Why? In the next section I mention WPScan – this tool has the ability to brute force attack wordpress installations and all you need is a dictionary file and the username – so changing it from the default of “admin” can make this task just a little harder for people to do then usual.

Test your installations

There are some online tools that will test your URL’s and also some offline ones. I have been using this website as an online tool to check security: on this site all you need to do is enter your URL and click to check it.

Beyond the online tool I have used WPScan ( – WPScan allows you to get a lot of information about an installation such as plugins and vulnerabilities that are in them. It will also warn you of any files that exist that may contain a version number (e.g. readme.html – as mentioned above) – below is a screenshot of this site showing some of the current issues here (which are being fixed as we speak)

Screen Shot 2016-06-02 at 8.05.41 AM

As you can see from the above screenshot this tool has been able to very quickly identify to me some issues with the site such as directory listing being enabled on a lot of directories, an out of date theme and a publicly accessible readme file.

Please be aware as well that in the above example I’ve only done a basic task using WPScan – it actually has some more severe scans that may expose a lot more.

If you would like me to test your own site contact me with a request and I’ll show you what I can find. This is only a brief article outlining some simple procedures you should follow – if you want to learn more there are thousands of resources about wordpress security online.