Assigning optimum (and nothing extra) folder permissions to various folders of WordPress is very important to keep your blog secure. Instead of digging your head into what should be the folder permissions for every folder (as suggested by most of the WordPress critics), I will request you to install our favourite plugin – WP Security Scan! Once installed then go to Security >> Scanner from your WordPress dashboard and you should see something like the image below:

If it’s all green then you are good to go otherwise I suggest you to follow the guidelines of the plugin and change the folder permissions.

Delete the “Admin” Username

Hackers look for blogs that use the default WordPress admin username because it’s half of the information they need to gain entry to your blog. When you use “Admin” as your username, you save the hacker a lot of time. All they’d need to do next is to figure out your password. Once that happens, they can enter your blog and do whatever they want.

The first step in making your blog secure is to create a new user profile for yourself and delete the default admin username. This makes it more difficult for someone to hack into your business blog.

To create a new username profile, open the WordPress admin navigation, go into Users and click on Add New.

Create a new user profile and change the role to administrator.

Fill in your details and make sure to give yourself the role of an administrator so you have the ability to make any necessary changes on your blog. After your new username is created, log out of your WordPress dashboard and log back in with your new user details.

Go back into Users and delete the default admin user. At this stage, WordPress gives you the option to transfer the posts authored by the admin user to your new user profile; choose that and you won’t lose any of your content or data.

Report bugs and vulnerabilities

If you ever discover security vulnerabilities on your own, do the community a favour by sending a detailed email to[email protected]. If the vulnerability is in a plug-in instead, email [email protected]. You would want other web developers to report loopholes that may affect your website, so treat others as you would like to be treated! Just avoid writing about those newly discovered vulnerabilities on the web or on social networking sites, so that information doesn’t fall into the wrong hands.


Use a Strong User Password

No matter how much awareness is raised around the danger of using a simple password, many people continue to use simple passwords that are easy for them to remember. Unfortunately, this also makes those passwords easier to crack.

It’s important that you use a strong and secure password. It should be a minimum of eight characters long with uppercase and lowercase letters, numbers and special characters.

To change your WordPress password to a stronger character string, go into Users and choose Your Profile. At the bottom of that page, fill in the New Password fields.

WordPress interface for adding a new password.

Make this a requirement for every member of your blogging team as each login password presents a potential gateway for hackers to try to enter.

Disable custom HTML when possible

WordPress can use custom HTML for various functions. If that isn’t absolutely necessary for the form and function of your website, you may want to disable unfiltered HTML by adding the following to yourwp-config.php file:


Update to the Latest WordPress Version

In response to security vulnerabilities, the WordPress software, themes and plugins are regularly updated with the latest patches and fixes.

When a WordPress update is available, you’ll see a prominent notification across the top of your dashboard.

You’ll see a yellow notification banner across the top of your WordPress dashboard when there’s a new update available for you to install.

Updating is a simple 1-click process in your dashboard so you won’t need to leave your browser or do any manual uploading via FTP.


Back Up Your Blog Database

Backing up your database is an important part of keeping your blog secure.

WordPress makes the backup process simple with both free and paid options. WP-DB-Backup, a free option, is one of the most downloaded WordPress backup plugins and is a simple solution for beginners.

To install WP-DB-Backup, go into Plugins and choose Add New. Type “WP-DB-Backup” in the search box. Click Install Now and then click OK.

It’s easy to find and install a plugin to back up your blog. Under Plugins, click Add New and search for WP-DB-Backup or another backup plugin.

From the Plugins screen, Activate the plugin.

After the plugin has been activated, you’ll have a new addition to your navigation in Tools named Backup. From Backup, you can either back up your database immediately or you can set the backup to occur on a regular schedule. The backup files can be downloaded to your hard drive or sent to your server via email.

WP-DB-Backup gives you the option to save to server, download or email.

You’ll appreciate knowing you always have an up-to-date backup of your blog in the event something does happen.

Hide indexes

Be sure to disable public access to indexes whenever possible. If people can find the files in your site’s wp-content/plugins/ directory without being authenticated, it’s a lot easier to crack into your site through plug-in vulnerbilities. If your web server runs Apache or another OS that uses .htacess files, it’s simple to do. Find the.htaccess configuration file in your site’s main directory. That’s the directory that contains index.php. Insert the text Options -Indexesanywhere in the file. Alternatively, if you can’t alter a .htaccess file, upload an index.html file into your main directory. You could make that web page have a similar look to your site’s PHP web pages and insert a hyperlink to your index.php file if you’d like. But obviously, in a site that uses WordPress as a CMS, visitors won’t see yourindex.html file unless they type a specific path to it in their web browser address bar. Alternatively, you could make your index.htmlfile a 0 byte placeholder.

In case your web server ever has problems computing PHP files, it’s crucial to block directories that are only accessed by your server. If the PHP source code is ever displayed in a visitor’s web browser rather than the web page it’s supposed to render, they may find database credentials or in depth information about the PHP/mySQL programming of your site. Your site’s wp-includes/ directory is the most important one to block. Find the .htaccess file there and insert:

RewriteRule ^(wp-includes)/.*$ ./ [NC,R=301,L]

If there are or will be subdirectories of wp-includes/, insert the following code for each one in the same .htaccess configuration file:

RewriteRule ^(wp-includes|subdirectory-name-here)/.*$ ./ [NC,R=301,L]

Limit Login Attempts With a Plugin

The Limit Login Attempts plugin is especially useful in helping to repel brute-force hacker attacks by blocking access to the login page after a series of incorrect login attempts have been made. As administrator, you decide how many login attempts to allow before the plugin launches the block.

Install this plugin by going into Plugins and choosing Add New, just as you did to find the WP-DB-Backup mentioned above.

This time, search for “Limit Login Attempts,” click Install and then OK. Activate the plugin from the Plugins screen and you will have a new Limit Login Attempts option in your Settings.

To set the number of allowable login attempts and other limits, click on Limit Login Attempts, fill in the options and click on Change Options to save your work.

Audit overall workstation security

First of all, make sure that any and all PCs and web servers you use are kept properly secure. Make sure you’re running the most recent release of your favourite web browser, and make sure that it’s set to automatically patch. Do the same with your antivirus software and operating systems. Ensure all authentication vectors you use have secure passwords, which are changed every so often. Scan your PCs and servers for malware, frequently. Make sure you use proper firewalls – at the OS level, at the router level and at the ISP level, if at all possible. Any security holes outside of WordPress, in software and hardware you use with it, can affect the CMS itself. It’d be sad to create a really secure password for your WordPress admin account, only to find out a keylogger defeated all of your effort.

Install security plug-ins

I previously mentioned the Exploit Scanner plug-in, which you should run on your site every so often to check for vulnerabilities and cracking attempts. There are a number of other WordPress plug-ins that I recommend you install and use. When used properly, they can harden your WordPress site very effectively.

With Exploit Scanner, you can also use WP Security Scan. Not only will the plug-in look for vulnerabilities, but it’ll also give you specific advice for blocking them.

To prevent man-in-the-middle cracks to find your login credentials, be sure to encrypt your login packets with Login Encryption. That plug-in uses both DEA and RSA algorithms for enhanced security.


Some of the tips in this article and the ones already suggested in Part I can help you secure your wp-admin folder for optimum security. To add that one extra layer of security to protect the wp-admin folder one can use the AskApache Password Protect plugin. Along with its other features, this plugin password protects your wp-admin directory and the login page. Therefore, when someone tries to access your wp-admin directory then he will be prompted for credentials to access the same.


[button size=”large” color=”green” title=”Server Administration Services from Stack Supports” link=””]View Server Administration Packages[/button]