How to protect and secure WordPress

Securing a WordPress blog is pretty simple. If you google the words “How to protect wordpress”, you will find a lot of sites talk about the basic techniques, such as

  1. Make sure that your WordPress software and other plugins are always up to date
  2. Enable Akismet to protect your site from spam comment
  3. Don’t share your WordPress account with others people

While these advices are absolutely correct, but to me (and most other experienced users), these are common sense only. As an advanced user, I am interested in learning more innovative or advanced techniques, rather than some junk collected from WordPress for Dummies.

In the following paragraphs, I am going to show you some advanced techniques that 90% of the WordPress sites have not implemented. They are nothing fancy, just require you to do tweak using terminal. Notice that doing something through terminal (a.k.a. command line) is considered an difficult task to 90% of the people in the world.

Anyway, the techniques I introduce below are targeted to solve the most basic and fundamental security problem that WordPress do not address, because these problems go beyond its capability.

Securing WordPress: Step 1 – Secure your server, at least secure how you login to WordPress Dashboard

WordPress provides an extremely easy way to access the WordPress Dashboard:

It is very handy because you can log in to your website anywhere, as long as you have access to a browser with internet connection. However, it also opens a door to everybody as long as they have your login and password. How? When you login to WordPress, you are sending your login and password to the WordPress server in clear, unencrypted format. Everything are visible to everybody. If someone is interested to steal your information, it is possible.

There are two ways to solve this problem –

1.) Building a secure HTTP server, i.e.,

Notice that it is https, not just http.

Depending on what web server you use to run WordPress. In my case, I use Apache and it is very simple to run a secure Apache server. All I need is to generate a website certificate, apply it to my domain and my secure web server is ready.

There is only one problem – All browsers will complain about your certificate because it is generated by myself, not the other authorities such as Verisign. However, I can ask my browser to ignore that.

If it sounds difficult to you, you can ignore that. The second suggestion below will help solving this problem.

Securing WordPress: Step 2 – Limit the access to WordPress Dashboard

Okay, now you’ve already secure the communication channel between your computer and the WordPress server, and no one can see the login and password in your transaction. Is it enough? Nope. I can still brute-force attack your website by trying all different combination. So, we need to limit the access by IP addresses. Depending on how you access your WordPress blog, if you always access it from certain location, such as home, office or other locations, and if these IP addresses do not change often, this may work for you.

Simply go to the wordpress directory, e.g.,


Make sure that .htaccess exists.

Add the following to the end of the file:

order deny,allow
deny from all
allow from XXX.XXX.XXX.XXX
allow from localhost

Replace XXX.XXX.XXX.XXX by your IP addresses. Here are some examples:

allow from  #Allow from this address
allow from 192.168.1        #Allow from 192.168.1.*
allow from 192.168          #Allow from 192.168.*.*

That’s it! If you want to go further, you can check the IP address inside wp-login.php as well, i.e.,


if ($IP != '') exit();

However, I don’t recommend this way because your codes will get overwritten after upgrading the WordPress.

That’s it. Enjoy building a secure WordPress site.


Our sponsors:

Comments on running webservers at home – Part 1

I like to experiment all kind of computer technologies especially server applications. I am not one of those who is satisfied with just making a website and putting it in somewhere. I like the full control of the server because I like to try different combination of applications for performance tuning. For example, I doubt regular web hosting company allows you to host the entire system on a ram disk with a reasonable price tag. That’s why I choose to host a server at home. That’s a lot cheaper, plus I have the full control. However, running server application may generate lots of upstream traffic. That’s why most internet server providers (such as Charter) do not allow their customers to run any server related applications using their internet connection service. They do it by blocking most service related common ports, e.g., 80 (HTTP), 21 (FTP), 22 (SSH) etc. So there is really nothing you can do other than hosting your applications on different ports.

Two years ago, I started hosting all of my websites using my own computers. I found a number of benefits.

Benefits of hosting websites at home

1. It saves me tons of money.

I was paying $72/year per domain for web hosting. Since I have more than ten domains, the total running costs per year is pretty high. This amount is really nothing comparing to the cost of the electricity.

Monthly cost for web hosting:

$72 per domain/yr * 10 domains / 12 months
= $60 per domain / month

My monthly electricity cost at home, which includes everything such as running 10 non-gaming computers, washer, dryer, lighting etc:

$80 / month

I haven’t tried measuring the exact energy but you can imagine the electricity used by computers should be under $10 / month.

2. It is fun (and environmental friendly too).

I have few stone-age computers including a Pentium II laptop, a Mac G3 (speed wise similar to Pentium II), a Pentium M Celeron laptop etc. I integrated them to a web server farm (web clusters). Since running a web server does not require a lot of CPU power, they are doing okay for hosting low-traffic websites. Also, it is cool to show off my friends the global data center that I build for my websites.

3. Your data is secured!

Have you ever heard of any bank host their web sites on web hosting? No matter what type of encryption you use for your web applications, you still need to process the raw, original, and unencrypted data on the server side at one point. Processing confidential information on a shared server is like talking your secrets in a study room in a public library. You think you are in an isolated environment, but you can be surveillanced, it’s very simple and easy.

Here is an example:
Supposes I have a web application which accepts the confidential information from my users, and all traffics are encrypted. After the confidential information is decrypted on the server-side, my web application processes the raw information and do further things.

Let’s say the server environment is Apache + PHP + MySQL, the most popular combination of web application environment. Since they are all open-source, it is very easy to modify the source codes and log every single thing into a file, including the raw, original, unencrypted data processed by my web application.

You may think this may require lots of work and it will never happen on you. What if your competitor wants your confidential information? It doesn’t cost much to hire someone to do it.

Sounds scary?

More scary things come along. Shared web hosting (hosting multiple domains on one single server) always come with lots of trouble that many people are ignored. In theory, every website on a shared hosting lives in a virtual, independent environment, think about it as a virtual machine like VMWare or Hyper-V. Practically, it is not easy to set up such environment (e.g., FreeBSD Jail) and many web hosting companies choose to go with a less difficult path, because customers will not realize it anyway. Now here is the interesting part, supposes my domain and your domain are hosted on the same server. I can access the resource at the operating system level first (which will required some hacking), then access your file after that. Now I have access your source code and I can do whatever I want.

The most secure place in the world is the place that can be accessed by you, and no body else, i.e., your home, or any place you have full control

Our sponsors: