March 16, 2014 / IST / How-to Guides, Web Development.

WordPress is most famous and user friendly CMS on this planet. It is a open source CMS written in PHP and MySql as database. WordPress installation and hosting is very easy. But sometimes easiness or comfortableness can convey you to insecure path. So you should secure your wordpress CMS via plugins or .htaccess configuration. However, wordpress is also improving performance and security.

Let’s start with plug-ins:

Plugins are extra hand of WordPress. It adds a new functionality to WordPress. There are many security plugins. Some of them is very popular:

SLNameDownloads (from by user)
1Better WP Security1,698,527
2Wordfence Security1,441,205
3BulletProof Security1,060,447
4AskApache Password Protect106,370

1) Better WP Security

Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

2) Wordfence Security

It is a free enterprise class security plugin that includes a firewall, anti-virus scanning, cellphone sign-in (two factor authentication), malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups.

3) BulletProof Security

The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website. It protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing additional website security protection.

4) AskApache Password Protect

This is totally and completely unlike any other security plugin for WordPress. They operate at the application-level by controlling or using PHP to stop attacks, this plugin works at the network-level BEFORE PHP, which is why this plugin is so darn effective. This plugin is specifically designed to stop automated attackers attempts to exploit vulnerabilities on your blog that result in a hacked site.

Install Login LockDown. It records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

Scan wordpress installtion with WP Security Scan. It checks your install for vulnerabilities and suggests possible methods for fixing anything it may find.

 WP-Security Scan

Configuring the .htaccess file

.htacess is a configuration file that allows you to override your server’s global settings for the directory that it’s in, by limitting file access.

Here’s a piece of code generated by WordPress and you’ll find it in almost every .htaccess file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Protect wp-config.php

wp-config.php is the file in your root directory that stores information about your site as well as database details, this file in particular we would not want to fall into the wrong hands.
In your .htaccess add the following to prevent any access to the wp-config.php file:

order allow,deny
deny from all

Prevent Directory Browsing

You know how you can change a few characters in a URL and continue browsing the website. With this code you’ll prevent any directory browsing:

# directory browsing
Options All -Indexes

Disable any Hotlinking

Sometimes other (non-ethical) site curators will try to use your images and videos and put a strain on your serves, which uses your disk space and bandwidth. While this is not in the domain of WordPress security, it will certainly help your website’s overall health. Adding this to your .htaccess will prevent hotlinking from happening:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Protect /wp-content Directory

WordPress holds all your media files in here and they’re an asset you want search engines to crawl. But, “/wp-content” is a place where your themes and plugins reside, too. You don’t want to allow access to those sensitive .php files.

In order to work you need to create a separate .htaccess file (just use your FTP client and create a file with no name and give it an “.htaccess” extension) and put it in your /wp-content directory. This code will allow access to images, CSS, java-script and XML files, but deny it for any other type.

order deny,allow
deny from all
allow from all

Protect the .htaccess Itself

We’ve done a lot to protect WordPress, but the .htaccess file itself is still open to attacks. The following code snippet will stop anyone from accessing (reading or writing) any file that starts with “hta“.

order allow,deny
deny from all
satisfy all

Admin access from your IP only

You can limit who can access your admin folder by IP address, to do this you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder.

The following snippet denies access to the admin folder for everyone, with the exception of your IP address, but please note if you have a dynamic IP, you might have to regularly alter this file otherwise you will be denied access yourself!

order deny,allow
allow from (replace with your IP address)
deny from all

Banning bad users

If you have the same IP address trying to access your content or trying to brute force your admin pages, you can ban this person using .htaccess with this simple snippet:

order allow,deny
deny from
allow from all

This person will now not be able to access your site. You can add more by replicating the deny line, for example:

order allow,deny
deny from
deny from
allow from all