How To improve basic security on a fresh WordPress install

April 15th, 2010
HOW-TO, WordPress FAQs

WordPress developers take security very seriously, and many security experts evaluate WordPress’s code for flaws. Security updates are made frequently to keep users safe. However, there are some extra steps you can take to make a fresh installation of WordPress more secure and protect against future attacks. Remember, no system can ever be completely secure, but taking preventative measures can be helpful. Much of this guide is based on the advice from the WordPress Codex article on hardening WordPress, but it is aimed at the WordPress beginner. In future articles, I’ll cover advanced security measures, hardening existing WordPress installs, and recovering hacked WordPress sites.

This guide should be relevant for both WordPress 2.92 (the most recent stable release as of this writing) as well as WordPress 3.0.


-Preliminary steps for securing your WordPress install
-Changing defaults in WordPress to implement “security by obscurity”
-Choosing strong passwords
-Installing and configuring the Secure WordPress plugin
-Keeping WordPress updated and backed up
-And we’ll take a first look at some advanced security measures

Preliminary steps:

1. Secure your computer
As the WordPress codex says: “None of the following makes the slightest difference if there is a keylogger on your PC.” Make sure you are running anti-virus and anti-spyware software, and make sure said software is up to date. If you’re on Windows and don’t have any antivirus installed, I recommend AVG Free and Windows Defender.

2. Make sure you’re installing the latest stable version from

3. If you already have another installation or WordPress or other database software on your server, and your host allows it, create completely new database and a brand new database user that only has access to the new database. This is to insulate your other sites in case someone compromises this installation of WordPress.


We’ll follow the basic steps of the famed 10 minute install, but we’ll make a few changes to the default settings along the way.

1. First we’ll change the default table prefix (You won’t be able to change this if you’re installing using Fantastico):

If you’re installing manually you’ll see a screen that look like this:

Change the “Table Prefix” field to something else. Be sure to leave the underscore (_). You should have something that looks like this:

2. Next we’ll change administrator’s username. The default is “admin.” Change this to something secret. You’ll have the option later to set a “nickname” – that’s what your readers will see.

Be sure to use a strong password. Notice how WordPress helps let you know whether your password is weak or strong.

Some tips for creating a strong password:

You shouldn’t use any part of your name, username, or the site name in the password.
It should be at least 8 characters long
It should include numbers and symbols in addition to letters
You child’s first name and date of birth may be easy to remember, but is easy for anyone who knows anything about you to guess.
Here’s a strong password generator to help you out.

If you’re using Fantastico you’ll change the administrator username when you setup the new installation. Fantastico doesn’t help you create strong passwords, so you’ll be on your own. Follow the advice above and you should be ok.

3. Finish installing WordPress and login.

4. Next we’ll want to stop WordPress from displaying its verstion number anywhere on the site. I use the plugin Secure WordPress. It also provides some other security features we’ll look at in a moment.

On the dashboard, mouse over Plugins and click the arrow

Click Add New

In the search field, type “Secure WordPress” and click “Search Plugins”

Find Secure WordPress. To make sure you have the write plugin, verify that it is the one by Frank Bültge.”

Click “Install Now” and then click “OK.” On the next screen click “Activate Plugin.”

5. On the next screen, click “Settings” under “Secure WordPress”


You can leave all these settings alone, but if you’re not planning on using Windows Live Writer you should check “Remove Windows Live Writer link in wp_head of the frontend” and then click “Save Changes.”

Congratulations! You’re now ahead of the curve in terms of WordPress security.

Keep WordPress up-to-date, keep plugins up-to-date

The most important thing you can do now is keep WordPress up-to-date. When new versions of WordPress area available you’ll see a notice on the dashboard when you login:

Click the “Please update now” link to see your update choices. The easiest way is to just click “Upgrade Automatically.” If for whatever reason you can’t upgrade automatically, you can download the newest version and follow the included upgrade instructions.

You’ll also want to keep you plugins updated. You should frequently click on the Plugins link on the dashboard and check for notification that look like this:

Again, upgrading automatically is the easiest method. If you can’t upgrade automatically, follow each plugin’s upgrade instructions.

Backup often

Finally, you’ll want to backup your WordPress database frequently in case anything should ever happen to your WordPress install. WordPress Database Backup makes this a snap. We’ll cover database backups in a future article.

Advanced security

If you want to get your hands dirty with advanced security measures, you can lockdown your WP-Admin folder. We’ll look into the specifics of doing this in the future, but if you want to get started now check out the AskApache Password Protect plugin.

And for bonus paranoid points, you can use Open Source Tripwire to monitor your WordPress files for unexpected changes. In the comments, David pointed out that Open Source Tripwire is no longer maintained, and suggested some alternatives. But here’s a plugin specifically designed for monitoring your WordPress files. Works right out of the box!




  1. Goon (1 comments.) says:

    I find that two best things to do is to rename admin user of course as you mentioned, and remove any “powered by” be it wordpress or theme name. Most script kiddies just google “powered by wordpress” and then brute force admin user or try some kind of injection. Usually those two things take care of the 80% of all shenanigans.

    • Janine (3 comments.) says:

      Right on Goon. Those are the first two things I do as well out of about 10. I have a checklist for every new WordPress site I create.

  2. Paul says:

    One question about changing table prefix.

    Can this be done with a WP site that’s already installed and run ?
    And if so, what’s the consequence of changing table prefix ?

    Thanks for the article.

    • Mike (3 comments.) says:

      You can rename the prefixes on your tables.

      Don’t forget to change the use of the prefix in the usermeta records for capabilities meta_key entries. There are a few other places too. I think the prefix is also used in the postmeta table aswell for attachments and a couple places in options table field called ‘option_name’.

      Easiest way to replace in fields supposedly is:
      but I’ve never used it.

      But that doesn’t necessarily correct the string length in serialised data so try to keep the new prefix the same length (3 chars).

      Hope this helps.

    • Klint Finley says:

      You can also use the Secure WordPress plugin mentioned above to rename the tables. It’s very easy, but BACKUP BACKUP BACKUP before you try it.

    • Paul says:

      Thanks for the info on Search and Replace plugin.
      I bookmarked that, might come in handy.

      Thanks for pointing out the ability of Secure WordPress Plugin.

      Thanks for the great post.

      Security is the most important thing that people overlooked when
      managing websites, most of the time, they wait until it’s too late.( I’m one of them actually – but I do backup that’s ready to be re-installed at anytime.)

  3. kevin love (9 comments.) says:

    Password security should go without saying, but people still need to be reminded. Just look at clickbank. You have to use uppercase, lowercase, numbers, and symbols. My password is the longest most confusing thing ever haha…

  4. Sergej Müller (1 comments.) says:

    Use the WordPress antivirus plugin for more advanced wp security

    • Yael K. Miller (2 comments.) says:

      @Sergej What exactly does your AntiVirus plugin do? Yes, I’ve read all the info at its Codex URL and the one on your site.

      • Sergej Müller (2 comments.) says:

        The plugin scan manually or/and automatically the database, theme templates and permalink structure for suspicious (php) code.

  5. Chris Stumph (1 comments.) says:

    Good tips, I’ve been using that plugin myself, it’s pretty convenient. I also like the “User Locker” plugin which locks down the admin account after a specified number of failed login attempts.
    Backups are probably the single most important step, and seem the most often overlooked. A good backup system can save your site from anything.

    Did not know about the open source tripwire. Looks like a fun new toy :)

  6. Andrew@BloggingGuide (63 comments.) says:

    Security of your wordpress should be the top priority because hackers are always roaming around looking for someone to victimize. Without security, your posts and everything in your blog is exposed thus when attacked will be useless.

  7. Kishore Mylavarapu (13 comments.) says:

    Specifying some .hatcess hacks will be also good.And using Askimit is a great way to reduce the comment spam.And WordPress Security Scan a beautiful plugin to checkout the file permissions.

  8. Paul Goldman (1 comments.) says:

    This is a totally helpful site. I’m pretty new at WP and the official help and tutorial section of WP pre-supposes too much pre-existing knowledge (that I don’t have YET) I really appreciate the tip by “Goon” above about removing “Powered by WordPress”

    Also applaud Sergej Müller for pointing me to the A/V plug-in. Thanks mate!

  9. Dana (3 comments.) says:

    Thanks for this article. I have been plan to start secure my wordpress blog and this article surely will help a lot. I hope the advance part will be coming soon.

  10. Boni (1 comments.) says:

    I have never heard about “Secure WordPress” pluggin. I think I will try it to secure my website. Thanks for the good article.

  11. Evil Mammoth (2 comments.) says:

    Exploit Scanner ( has also come in handy for me.

  12. David (1 comments.) says:

    Very good article, but bad advice on Tripwire. It is not being updated anymore… A better open source HIDS would be OSSEC ( ) or samhain.

  13. Klint Finley says:

    Thanks, Sergej, for the recommendation. I hadn’t seen AntiVirus for WordPress before. I’m giving it a try.

    Some of the other plugins mentioned will be in my upcoming tutorial that will focus on existing WordPress sites instead of fresh installs.

    Thanks for all the comments everyone!

  14. Yael K. Miller (2 comments.) says:

    Question on the installation screenshots: I’ve never seen those forms before. Where are they?

    How I install WordPress: I create a MySQL database, fill out missing info in wp-config.php, FTP it to site, then go to

    • Klint Finley says:

      Good question! If you fill out the wp-config file, you won’t see those fields. Those fields are an automated way of filling out the wp-config file. I forget when they were introduced… version 2.5ish?

    • Janine (3 comments.) says:

      I have the same question..

  15. Klint Finley says:

    Oh, and here are some other good links:

    The first one emphasizes the importance of being on a secure host, which I didn’t go into in this article. I definitely recommend checking around before you sign-up with a host.

  16. Peter Bird (4 comments.) says:

    There was a comment above re htaccess hacks. I had 2 vBulletin forums hacked and since protected the admincp via .htaccess stuff (that I do not really understand as its a bit beyond me) to protect me in the future – I was good at following the instructions. Is it possible to do something like this in wordpress? I did a google search but found nothing that looked like what I followed for the vBulletin set up.

  17. Uwe (18 comments.) says:

    “password” is _NO_ password + .htaccess deny from .evil_countrys/provider + .htaccess password + latest wordpress with a renamed admin account and no open reg = I feel pretty safe right now :)

  18. Mommy D (3 comments.) says:

    Great post. Made it simple to understand for us non-computer literate types. I have been neglecting backing up my blogs but I checked out your back up suggestion and this should make it simple. I will be sure to back up more often ;)

    Mommy D

    • Janine (3 comments.) says:

      Mommy D I’m with you! Backing up is such a pain, but this post makes it much more feasible.

  19. Nurul Azis (16 comments.) says:

    Keeping a wordpress plugin up to date is good but sometimes, the compability with the wordpress version makes me wait a bit longer before updating the plugin

  20. Pat Bodes (1 comments.) says:

    A good way to stop hackers is to use the security keys in your WP config.php file. Basically, you add a really long, complicated, random string of characters in the appropriate place in your config.php file. See section 1.6 for the basic instructions on how to do this. You can get to the config.php file from your hosting account control panel file manager.


  1. […] How To improve basic security on a fresh WordPress install […]

  2. […] How To improve basic security on a fresh WordPress install […]

  3. […] my first article on WordPress security I mentioned Open Source Tripwire as an option for monitoring your WordPress install for unexpected […]

  4. […] is a great article on basic security when setting up your blog from Weblog Tools Collection that I recommend everyone […]

  5. […] How To improve basic security on a fresh WordPress install […]

Obviously Powered by WordPress. © 2003-2013

page counter