Wordpress Security - Best Practices


Jun 17, 2014
Reaction score
Hi All,

Spotted a thread from 2012, which discussed this topic. However, instead of unearthing an old thread (and info that's likely obsolete today), thought I'd commence a new one. Hopefully we can all contribute to this, and at least help to make our site(s) secure.

Briefly, I'm an affiliate in online gaming, been running WP since v2.7

As I'm sure most of you are aware, nothing is 100% secure/safe if it's online. But, one can take steps to ensure your WP site, isn't an open invitation (soft target) for hackers etc. So without further ado, I'll share tips which I use to harden my wordpress sites.

Install WP manually
  • Alternatively - cPanel Softaculous is ok BUT you must access the database user permissions after installation. Softaculous grants access to ALL User Privileges. Only the following are require to run WP: Alter, Create, Delete, Index, Lock Tables, Select, Drop, Insert, Update
Next do the following:
  • Access your WP database and look for wp_users (wp_ being the default table prefix, you may have something different). Click the Browse link. Make changes to the following:
  • user_login | (default is admin) change this to something else.
  • user_nicename | can add any name here, I usually use my site name (can be anything)
  • display_name | must reflect same name used for user_nicename
  • NB - can change email address here too (if that need arises). And also, change password.
  • If you need to change your password (you've lost access to you site for whatever reason), goto user_pass (same table as above) delete current MD5 #, and replace with your password (in drop down menu, select MD5) and save.
AFAIK cPanel Softaculous only permits 8 or so characters for in the password setup. I highly recommend using 17 (alpha/numrical/special characters). You'll have to either edit your p/w in the database (after installation) or simply click the "lost password" link, on the wp-login page.

NB - If you have a static IP (or can obtain a static IP from your ISP) I'd advise you to obtain one. With a static IP you can block access to your wp-admin folder, by adding a simple .htaccess file.

order deny,allow
deny from all
# change the following to your static IP
allow from xxx.xxx.xxx.xxx

Root htaccess file:

<Files .htaccess>
order allow,deny
deny from all
<Files wp-config.php>
order allow,deny
deny from all
<Files xmlrpc.php>
order allow,deny
deny from all
Options All -Indexes


I'm pushed for time, but I'll return to add more tips to harden your WP site :)