Some Advice On Securing Your WordPress Site

Some Advice On Securing Your WordPress Site
To sign up for our daily newsletter covering the latest news, hacks and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Lifehacker Australia homepage to visit whenever you need a fix.

If you’re hosted on, there’s not a great deal you can do to harden your site. However, if you have your own server space somewhere and it uses WordPress as a content management system / blog software, there are a few simple steps you can take to make your particular part of the internet a little less inviting to hackers.

Over at Sucuri, Tony Perez talks about some of the bigger issues you need to worry about. While he goes into great detail, what it boils down to is not installing untrusted plug-ins, making sure you connect over secure protocols (such as SSH and SFTP) and employing a “least privilege” methodology when granting access to users.

One of the easiest and best tips is to just disable theme editing from within WordPress so if someone does get your password, the amount of damage they can do using PHP is limited. This can be done by opening up the “wp-config.php” file in your installation’s root path and making the following change:

#Disable Plugin / Theme Editor

The post contains more information of specifics and does an excellent job of not only explaining what you can do, but why you should do it.

WordPress Security – Cutting Through The BS [Sucuri Blog]


  • One security tip that I rarely see mentioned is to police the stuff you leave lying in your root directory (“temporarily” or otherwise). A backup of your WordPress database, for example, contains all the info a hacker needs to break into your system.

Log in to comment on this story!