Vol 20 No.65 Issue 241

June 2015

  banner image

Securing Wordpress

When performing a self-installation of Wordpress, there are a number of easy steps that can be taken to protect against an attack. While these steps will not guarantee security, they will make it harder to gain access. Many of the cases our Abuse Department deals with on a daily basis are the result of a bot attack. If a bot cannot read a certain file or directory, it is more likely to move on to the next victim. Each step included below can be performed on any of the pair Networks Shared or Dedicated Hosting servers.

Keep Wordpress Up to Date

The first step to securing Wordpress is always to keep the software up to date. This includes all themes and plugins installed, whether active or inactive. If an addon has not released a new version with 6 months, it's likely no longer safe to use and should be uninstalled. If your Wordpress was installed using pairSIM, you will be notified when new updates are available upon logging in to the Account Control Center.

Limit Access

The wp-config.php file holds the Wordpress database login and password. Read access should only be granted to the account owner. We recommend setting this file to 600 permissions once the initial installation has completed. This can be done through the Account Control Center, SSH or FTP. If your account is from before June 2011, you will need to enable suEXEC first. You may also add the following line of code to the .htaccess file to restrict it from being viewed.

order allow,deny
deny from all

This code should be added to the top of the file before the line # BEGIN Wordpress.

The following directories should have no more than 755 file permissions,


Assigning server-side password protection through .htaccess to the wp-admin section of the Wordpress provides a second layer of protection against intrusion.

To restrict malicious scripts from writing or gaining access to important Wordpress directories, the following code may be added to the .htaccess file,

# Block the include-only files.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

This code should be added to the top of the file before the line # BEGIN Wordpress.


Always follow strong password guidelines when configuring administrative users in Wordpress. This includes a password which is at least 8 characters long, contains both upper and lower case letters, at least one number, and one unique character. Never use dictionary words, names, or special dates in your password.

Monitor files for changes

There are a number of excellent plugins available that will monitor Wordpress Core Files for potential changes. We personally recommend Wordfence:


While we are not affiliated with the Wordfence, our Abuse Team has worked with many Wordfence data reports, and they are extremely reliable.


Connect with pair

  • pair facebook
  • pair twitter
  • pair google plus
  • pair blog

Unsubscribe at insider.pair.com
Contact us at insider@pair.com

Follow pairnetworks on Twitter


Copyright 2015 pair Networks, Inc. All rights reserved.
pair Networks, Inc. 2403 Sidney Street, Suite 210, Pittsburgh, PA 15203
View this newsletter on the Web at url.