1. 7 Ways to Secure Your
WordPress Website –
without any Plugins
Tan Kian Ann
WordPress Wednesdays – 24 April 2013

2. Please don’t copy, lah.
Will put up the slides for you to refer to,
share on WPUG Facebook.

3. #1. Set a Strong Password

4. Question:
What is the most common
password used today?

5. Set your password to “incorrect”.
So when you key in wrongly, the
computer will tell you
“Your password is incorrect.”

6. Set a Strong Password
• password
• 123456
• 12345678
• abc123
• qwerty
• monkey
• letmein
• dragon
• 111111
• baseball
• iloveyou
• trustno1
• 1234567
• sunshine
• master
• 123123
• welcome
• shadow
• ashley
• football
• jesus
• michael
• ninja
• mustang
• Password1
Source: http://gizmodo.com/
25 most common passwords (2012)

7. Set a Strong Password
• Mix uppercase, lowercase, numbers, symbols.
• Balance “secure” and “easy to remember”.
• E.g. Queenstown street 45, blk 700 #17-44 –
Qb700#17_44
• E.g. Imagination is more important than
knowledge (Albert Einstein), born 1897 –
iimitk*AE*1897

8. Set a Strong Password
• Or use a password manager
– KeePass
– 1Password
– Roboform
– LastPass
– … many more

9. #2. Don’t use “Admin” as username

10. Don’t use “Admin” as username

11. Don’t use “Admin” as username
If you already have “admin” as username:
1. Log in as “admin”.
2. Create a new administrator account using a
different username.
3. Log out of “admin”.
4. Log in using the new account you created.
5. Delete the “admin” account. You can attribute
the existing posts to the new account.

12. Don’t use “Admin” as username
Preferably:
1. Don’t use a dictionary word.
2. Don’t use popular names.
3. Don’t use your name.

13. #3. Use a Different Table Prefix

14. Use a Different Table Prefix

15. Use a Different Table Prefix
If you already have “wp_” as the database
prefix:
1. I know, no plugins but…
http://wordpress.org/extend/plugins/change
-table-prefix/
2. Or if you want to do it yourself…
http://www.wpbeginner.com/wp-
tutorials/how-to-change-the-wordpress-
database-prefix-to-improve-security/

16. #4. Set Proper File Permissions

17. Set Proper File Permissions
• Best practice:
– All files – 644 or 640
– All directories – 755 or 750
– wp-config.php – 400
• Usually can be set using an FTP program, or
web hosting control panel.

18. #5. Hide WordPress Info

19. Hide WordPress Info
• Remove these files:
– license.txt
– readme.html

20. Hide WordPress Info

21. Hide WordPress Info
• Hide generator statement
• Inside wp-
content/themes/<yourtheme>/functions.php,
add this line:
remove_action('wp_head', 'wp_generator');

22. #6. Update your secret keys

23. Update your secret keys
Inside wp-config.php – these secret keys adds an
extra layer of security.

24. Update your secret keys
• Introduced recently
– WordPress 2.6 (Jul 08): AUTH_KEY, SECURE_AUTH_KEY,
LOGGED_IN_KEY
– WordPress 2.7 (Dec 08): NONCE_KEY
– WordPress 3.0 (Jun 10): AUTH_SALT, SECURE_AUTH_SALT,
LOGGED_IN_SALT, NONCE_SALT
• Before WordPress 2.6 – non-existent.
(Remember, wp-config is not touched when you
update WordPress)
• Generate these at:
https://api.wordpress.org/secret-key/1.1/salt/

25. #7. Keep all files up to date

26. Keep all files up to date

27. Keep all files up to date
• 3 things to keep updated:
– WordPress core
– Plugins
– Themes
• Done quickly thru the WordPress backend!
• Remove unused files – themes, plugins etc.
• Remember to do a backup before performing
doing an update!

28. Conclusion: 7 Ways
1. Set a Strong Password
2. Don’t use “Admin” as username
3. Use a Different Table Prefix
4. Set Proper File Permissions
5. Hide WordPress Info
6. Update your secret keys
7. Keep all files up to date

29. Good to know, better to have it
implemented!

30. Reference
http://codex.wordpress.org/Hardening_WordPress

31. Thank You!
Tan Kian Ann
+65 96195806
tankianann@gmail.com
http://www.facebook.com/tankianann