in Security, Tips

Securing WordPress

WordPress is the most popular CMS on the web right now.  As such, WordPress installations are constantly scanned for vulnerabilities. Here are a few simple suggestions to keep the hackers out of your WordPress site.

If any of this seems daunting, SWCP’s WordPress Monitoring and Update service may be right for you. As always, call us at 505-232-7992 or email us if you have any questions.

Low-Hanging Fruit

define('DISALLOW_FILE_EDIT', true);



  • Disable PHP execution of HTTP POST to wp-content/uploads (SWCP webfarm does this server-wide)
  • Log Dashboard auths (SWCP has a plugin that can do this)
  • For normal WordPress operations, the MySQL database user only needs data read and data write privileges to the MySQL database; SELECT, INSERT, UPDATE and DELETE. Therefore any other database structure and administration privileges, such as DROP, ALTER and GRANT can be revoked.
  • Disable HTTP access to wp-includes by adding to the top of .htaccess file
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress