Continuing from my previous blog at the end of Cyber Security Month, here are some more advanced tips on how to keep your WordPress Site safe. 

1. Use fail2ban

A number of security plugins such as iThemes Security allow you to block login login attempts once they’ve entered their password too many times. This is known as blocking brute force login attempts. Most plugins do this by locking the account or by banning the IP address.

If you don’t want to use a plugin, and you have access to SSH on your server, you can connect Fail2Ban to your WordPress blog. This ensures that the block is done at a server level. I’ve found a great blog post here which you can read.


2. Rename your login link

One of the best ways to stop people you haven’t given login details from logging in, is to stop them from knowing how to login in the first place.

It’s worth noting this tip won’t work for everyone, especially if you’re using e-commerce site, or sites which require your users to login. So skip this step if this applies to you.

Because WordPress is such a popular and well known platform, everyone knows wp-login.php or wp-admin is the URL you need to go to login.
WordPress is prone to “brute force” attacks from online databases of saved passwords, or passwords they have found from other companies leaks.

However, if you’ve edited your login link, they not going to be able to login using the default links, hence making their life much harder.

There are a number of security plugins or even a standalone plugin which will allow you to do this.


3. Auto log out idle users

If your website has admins who are likely to login outside of your office such as a coffee shop, or in another public place, having a idle countdown to log users out would be advised.
Something sensible like 5 minutes of account inactivity before the account is automatically signed off could be a great way to minimise the ability for someone to login in the event that you accidentally left yourself logged in and you’ve left the area.

You could try checking this plugin out here.

4. Monitor Core WordPress files

In part one of this blog, we talked about using a security plugin to monitor the core WordPress files.

A more advanced, method of doing this would be to use the WP-CLI inbuilt command: wp core verify-checksums

You could setup a crontab to automatically run this command every so often. But this doesn’t help you get notified.

Danny van Kooten released a handy bash script which automatically pushes a notification to your phone via PushBullet. Click here to take a look.


5. Don’t use default `wp_` table prefix

If you’ve installed WordPress yourself, then you are familiar with the `wp_` table prefix that is used by default within the database. It is recommended that this is kept to something unique. This is normally done when first setting up the website. However iThemes Security and WP-DBManager allow you to do this with one click. This is to prevent automatic SQL injection attacks!

Obviously, is goes without saying that you should backup your site including your database before doing this!

6. Monitor your log files

Logs are your friend, not only your webserver logs from NGINX or Apache, but your system logs too. They will provide you with critical information including
Monitoring the logs can tell you what’s been happening by the other accounts who have access.

This can tell you if someone has changed/installed/removed something they shouldn’t have.

If you’re using Linux, then there are a number of files you can find inside of /var/log/ including /var/log/auth.log (or /var/log/secure if using centOS/RedHat), /var/log/messages, /var/log/faillog to name a few.

If you’re managing your own server, you should really know about these and be checking these on a regular basis.

7. Protect the wp-config.php file

Your wp-config.php file is the core of your sites security. It contains the crucial database password information.

If you’re using Apache, you can do this by ensuring that you’ve added a .htaccess file with the following information:

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

If you’re using NGINX, you can add this to your server block:

location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }

8. Don’t allow file editing from the WordPress dashboard

This prevents your admins and editors from being able to edit any files that are within your WordPress installation. This also prevents any intruder from being able to access these too.

This one is really easy to add, just add this to the very bottom of your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

9. Set permissions correctly

Wrong permissions can give other users of the server/members of the public access to your files. This is especially important if you’re using shared hosting.

Setting the correct permissions is one of the most critical steps in securing your website. The permissions should be:
755 for folders
644 for files

Your files & folders should be owned by the correct username too, on most people’s setups this is the user your webserver is running under (often www-data).

Simple 3 commands can fix this for you (replace /dir/ with your WordPress folders directory):

chown -R www-data:www-data /dir/
find /dir/ -type f -exec chmod 664 {} \;
find /dir/ -type d -exec chmod 775 {} \;


There’s a few ways to remove the version number, which you will see below, but over the years this has changed due to the changing nature of WordPress

Unfortunately my favourite way, which was just 41 characters of code is no longer the best way is just to remove the action. As it doesn’t affect the query arguments of rss feeds, scripts or stylesheets:

Just in case you’re interested, it used to be this:

remove_action('wp_head', 'wp_generator');

But now, the correct way is the following:

// remove version from head
remove_action('wp_head', 'wp_generator');
// remove version from rss
add_filter('the_generator', '__return_empty_string');
// remove version from scripts and styles
function creativefolks_remove_version_scripts_styles($src) {
if (strpos($src, 'ver=')) {
$src = remove_query_arg('ver', $src);
return $src;
add_filter('style_loader_src', 'creativefolks_remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'creativefolks_remove_version_scripts_styles', 9999);

There’s no editing needed, just drop this into the bottom of your functions.php file.

If you would like to chat web stuff with a member of the CREATIVEFOLKS team then please get in touch.

Cameron Stephen Headshot

Produced by Cameron Stephen

Cameron Stephen is a full-stack web developer who specialises in LAMP/LEMP development, confidently working with PHP, HTML5 and CSS within a Linux environment. He prefers to work using the Symfony MVC framework with Doctrine as an ORM; Git as his version control system of choice and Composer as the dependency manager - but is also fully capable in WordPress-based web development, developing bespoke websites that are fully responsive, are well optimised and bug-free.