WordPress Security Best Practices and Plug-ins

Keeping your WordPress blog safe and secured are things to be done right away but often gets delayed.

Building readership and monetizing the site are daily tasks that produce tangible results.

Often checking of the security needs doesn’t reveal its true importance until the site is compromised by a hacker or a natural disaster like user error. Here are a few of the best methods of protecting your blog from these kinds of disasters.

WordPress Code Modifications

Since WordPress is an open source, the code itself can be modified by the user to create a unique and totally customized experience. In some cases, simply adding to the WordPress code can considerably add to the overall security of your blog. While this may seem to be done only by an advanced user or attempted by a programmer, actually, it is very easy to do.

If you are worried about the adverse effects to your blog, backup your blog before implementing any of these suggestions. If something does go wrong, or you simply don’t like the results, you can restore the backup and your blog can continue to run just as it always has. Even if you are fully confident in your ability to modify the WordPress code, it is a good idea to make a backup first.

Remove the WordPress Version Number

By default, the WordPress version is displayed in the head of the blog files and the RSS feed. If you are not using the latest version of WordPress, a hacker can use this information to launch an attack on your blog that exploits a known vulnerability in the version you are running. Adding a single line of code can prevent the version number from being displayed.

1. Go to your Theme folder and open the functions.php file.
2. Enter the code:remove_action(‘wp_head’, ‘wp_generator’);
3. Save the functions.php file and refresh the page.

By just adding this simple line of code, your WordPress version stops being displayed where hackers can easily find it.

Change the Default Admin Name

If you have been using WordPress for a while, you probably still have the default username “admin.” Beginning with version 3.0, you could choose your own admin name. If you are still using “admin” to log in, it is time to change it. When hackers are trying to crack a password, it is more difficult if they also have to crack the username.

1. Login to the phpMyAdmin panel.
2. Choose your WordPress database.
3. Click on the SQL tab.
4. In the SQL Query Box enter:UPDATE wp_users SET user_login = ‘New Username’ WHERE user_login = ‘Admin’;

Now, you will be able to use your new username to login to your admin page.

WordPress Plug-ins

There are quite a few plug-ins for WordPress that will help increase the security of your blog. The ones presented here are among the highest rated plug-ins by WordPress users. All of these are easy to install and use.

Block Bad Queries

Block Bad Queries is a plug-in that works in the background and deals with malicious queries. Malicious queries or malicious URL requests are how hackers identify vulnerabilities. These scripts send URL requests that start out with your site’s URL and change the ending. A couple simple examples:


These will not have much impact but, queries that are more than 255 characters long can use a lot of resources and slow your site down for legitimate users. If the URL string includes “eval” or “base64,” it is looking for a way to inject script on your site that could create a backdoor, launch spam or some other malicious activity. Block Bad Queries returns a 414 error to this type of activity and prevents it from occupying resources.

Block Bad Queries requires WordPress version 2.3 or higher. Block Bad Queries was last updated on March 5, 2010.


BackupWordPress is the best way to maintain and manage backups of your WordPress powered blogs. It can be automated to run backups on a daily schedule if you desire. Scheduling the backups, means there is no danger of forgetting to complete this task. It will back up the entire database including all tables and files or you can specify only certain tables to be backed up. The backups can be stored on the server, your hard drive or sent to your email account.

BackupWordPress requires WordPress version 3.0 or higher. BackupWordPress is updated regularly.

Stealth Login

Stealth Login provides an extra line of defense for your admin page by allowing you to customize the URL for your admin login page. Should your admin password become compromised, hackers will then need to locate the actual WordPress login page because the admin page can no longer be accessed through the default URL. It also protects the WP-login.php file by preventing it from being accessed directly.

Stealth Login requires WordPress version 2.3 or higher. Stealth Login was last update on July 15, 2010.


Akismet automates the task of identifying spam and backlinks in the comments and deleting them. While spam bots, and automated comment posting programs are easy to spot and stop, human spammers are a bit more difficult. Akismet keeps an extensive library that is constantly being updated with the latest methods spammers are using get comments and backlinks approved while disguised as legitimate comments.

Akismet requires WordPress 2.0 or higher. Akismet is updated regularly.

AskApache Password Protect

AskApache Password Protect is designed to fend off brute force attempts to access your admin page. Bots are programmed to make repeated attempts in rapid succession to guess the password. AskApache Password Protect plug-in adds a second layer to the password process so these attempts never actually get rolling. It also provides protection to all of your database folders, not just the wp-admin folder.

AskApache Password Protect requires WordPress 2.6 or higher. AskApache Password Protect is updated regularly.

Theme Authenticity Checker

Theme Authenticity Checker scans all your themes for unwanted code. Some 3rd party sites that offer themes for download will insert dangerous JavaScript or advertising into the regular code. This added code is often encrypted. Theme Authenticity Checker will highlight any code it finds that may not be part of the theme itself. You can contact the author of the theme with the code and they will let you know if the code is supposed to be there or not. This plug in cleans up the code in themes much easier.

Theme Authenticity Checker requires WordPress 2.9 or higher. Theme Authenticity Checker was last updated on December 18, 2009.

Better WP Security


Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.