Skip to main content

Note: Some of these security options require FTP access.

1.) User 1 – When you install WordPress your 1st Administrator account is User 1.
When you 1st login to your new wordpress install immediatley create a second Administrator Account, this will become your main Admin.
Then logout of your site and log back in with your new 2nd Administrator Account. Go to Users and delete the User 1.
This removes the risk of a potential hacker being able to obtain the user name of user 1.

2.) Remove Installer – Login to your FTP, First make sure you have removed the “wp-config-sample.php” file and the “Read Me” file then
go to wp_admin folder and delete the two files, “Install.php” and “Install-helper.php”.
This removes the ability to restart the install process.

3.) htaccess file – Add the following code snippets to your htaccess file above “# BEGIN WordPress”
## This denies all web access to your wp-config file, error_logs, php.ini, and htaccess/htpasswds files and folders.
<FilesMatch “^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$”>
Order deny,allow
Deny from all

## This closes the xmlrpc Issue which a hacker can use.
<Files “xmlrpc.php”>
Order Allow,Deny
deny from all

## PREVENT HOTLINKING – Hotlinking is stealing your websites images by just using the image URL.
SetEnvIfNoCase Referer “^” good
SetEnvIfNoCase Referer “^$” good
<FilesMatch “\.(png|jpg|jpeg|gif|bmp|swf|flv)$”>
Order Deny,Allow
Deny from all
Allow from env=good
ErrorDocument 403
ErrorDocument 403 /images/you_bad_hotlinker.gif

## cache images and flash content for one month
<FilesMatch “.(flv|gif|jpg|jpeg|png|ico|swf)$”>
Header set Cache-Control “max-age=2592000”

## cache text, css, and javascript files for one week
<FilesMatch “.(js|css|pdf|txt)$”>
Header set Cache-Control “max-age=604800”

## cache html and htm files for one day
<FilesMatch “.(html|htm)$”>
Header set Cache-Control “max-age=43200”

4.) wp-config file – First if in your FTP access you have access above the Public Folder move the wp-config.php to here.
If you do not have access then section 3 has already put in protection. Then add the following code snippets to your wp-config.php
You can copy and paste these as they are
/** The Database Memory Limit for the Site */
define( ‘WP_MEMORY_LIMIT’, ’64M’ );
/** Stop plugin and theme editor in admin */
define(‘DISALLOW_FILE_EDIT’, true);
/** Stop producing more than 5 revisions of any page or post */
define( ‘WP_POST_REVISIONS’, 5);

Then create new SALT Keys and Paste as shown in the image below.
New SALT Keys are available here –

5.) Lock folders – All your folder permissions should be set as secure as possible.
All directories should be 755 or 750.
All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
No directories should ever be given 777, even upload directories.
Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.
Mode Str Perms Explanation
0477 -r–rwxrwx owner has read only (4), other and group has rwx (7)
0677 -rw-rwxrwx owner has rw only(6), other and group has rwx (7)
0444 -r–r–r– all have read only (4)
0666 -rw-rw-rw- all have rw only (6)
0400 -r——– owner has read only(4), group and others have no permission(0)
0600 -rw——- owner has rw only, group and others have no permission
0470 -r–rwx— owner has read only, group has rwx, others have no permission
0407 -r—–rwx owner has read only, other has rwx, group has no permission
0670 -rw-rwx— owner has rw only, group has rwx, others have no permission
0607 -rw—-rwx owner has rw only, group has no permission and others have rwx

If for any Reason you cannot find your .htaccess file –


What would you do if your WordPress website was broken. An Update Issue, a Broken plugin, a 501 Error or Worse, you've been Hacked. How long will it take your business to recover? A few hours, A few days, A week? Don't Let it be Your Business. Our WordPress Support Service provides You with Peace of Mind.

Leave a Reply