Here's the philosophy of everything on this page:

Checklist - How to secure your WordPress site like a pro

This page ...

is an attempt to give a 1,2,3 checklist of all the things
i do to protect the sites i build and admin.
(This page is only a reminder list — for full how-tos, follow the links.)

  • Don't worry about learning how to do all these things at once! Start with first 5 things. When you understand those (and do them!), try out the next steps.

"it's too hard"... "it takes too much time"... "it's too complicated" ...

aaawwwwwww, poor babies. Here's some reality:
Websites are hard. Websites take a lot of time. Websites are complicated.

Some thoughts to begin

I am very sorry to tell you that there isn't any magic wand to protect a website, any more than there is for crossing the road, or for driving safely. It all takes knowledge, experience, and common sense.

When your website gets hacked — I have seen it too many times — 90% of the time you left the door open. No point to blame your web host, or WordPress, or PHP. If someone walks in my unlocked room, no point to blame the building owner!

OK OK! enough blather! So how do we lock the doors?

The first things to do are:
updates.    good passwords.    backup.    secure computer and connection.
but they are also unexciting and unromantic, and that's why we don't do them.
and that is the main cause of getting hacked.

Yes, these things take time and effort and knowledge.
That's why they pay us the big bucks!

You know what takes more time and effort and knowledge?
Plus doesn't feel as good?
Cleaning up and rebuilding a hacked website!

The two most most most important things to do are:

  • Always update WordPress, and any plugins
    Most updates are made to fix security problems. The bad guys are always finding new ways to attack, so the programmers are always having to write new ways to protect.
    Updating is very easy. WordPress will show you when anything needs updating, and all you have to do is click to do the update. So ...
    • Update WordPress right away whenever the dashboard shows you a notice.
    • Update any plugin right away whenever the dashboard shows you a notice.
    • Yes, you should always update. See why at
      — Yes, even if it's a test or non-active website:
  • Have good passwords, and keep them safe. Click for more
    • at least 10 characters. more is better!
    • upper- and lower-case letters, numbers, and punctuation
    • It's easy!
      1. Just float your hand over the keyboard, and flop your fingers around on the keys:
      2. Change any 0, O, l, I, to something else (they get confused in our minds)
      3. Change some of letters to uppercase:
      4. Replace some of the things with punctuation:
      5. Boom! a password! (DON'T use that one! The hackers have it now.)
    • Yes of course you can use some password-generation tool. I just do this.
    • Yes now you need a password-management program to keep track of these nasty things!
      See more at the Codex.

If you don't do these things, you are leaving the doors to your site wide open.
If you don't do these things — don't even bother doing the other things!

Four other important things are:

  • Back up your website. Often.
    • How often? → How many of your posts will you lose before you start to cry?
    • Keep copies of your uploads and themes folders
    • Here's how ↓
  • Use "secret keys" in your wp.config.php file.
    You don't need to understand it — it's so easy, just do it!
    Click for more
    Go to and copy what you see into the section of your wp-config.php file that looks like this:
        * Authentication Unique Keys and Salts.
        * Change these to different unique phrases!
        * Generate these at
        * You can change these at any point in time to invalidate all existing cookies.
        * This will force all users to have to log in again.
        * @since 2.6.0
        define('AUTH_KEY',         'put your unique phrase here');
        define('SECURE_AUTH_KEY',  'put your unique phrase here');
        define('LOGGED_IN_KEY',    'put your unique phrase here');
        define('NONCE_KEY',        'put your unique phrase here');
        define('AUTH_SALT',        'put your unique phrase here');
        define('SECURE_AUTH_SALT', 'put your unique phrase here');
        define('LOGGED_IN_SALT',   'put your unique phrase here');
        define('NONCE_SALT',       'put your unique phrase here');
    (Just replace all the define(); code lines, with what you copied from that url.)

    Want more? Go to the Codex.
  • When you upload files, use only SFTP, never plain FTP.
    Click for more

    With plain FTP, your username and password is going through the wires openly, and is very easy for the bad hackers to get. They can also get other information. When you use SFTP, everything is encrypted.
    To use SFTP, your host will have to provide shell (ssh) access. This may come automatically with your account, or you may have to request it. (If they will not provide shell access, there are probably other problems with them as well — find another host.)

  • Always access your website, admin, and hosting through a secure computer:
    Um — just always use a secure computer, period.
    Secure OS, scanned for viruses, updated browser. Hackers can get your passwords and other info to hack your website.
    (More about securing your computer at TibetanGeeks.)

If you don't do these things, you are leaving the doors to your site wide open.
Nothing on this page can protect you from yourself!


So you're doing the things above,
and all is happiness ...
But you know that happiness is only a temporary thing ...
Want to learn more and be a real professional?
OK, Gaston — Let's go!


Here are the things to do:
1) before you install ↓ ... 2) when you install ↓ ... 3) when you make user accounts ↓ ... 4) when you change code ↓ ... 5) with plugins ↓ ... 6) in the admin ↓ ... 7) when you back up

1) Before you install WordPress on live server

  • Sign up for CloudFlare and learn how to use it. Click for more
    • CloudFlare is a proxy/cdn which can do a lot of things to cache, speed up, and protect your website without too much learning required for you.
    • You will also want the cloudflare plugin to make best use of Cloudflare.
    • (Note: If you are the developer, and not the owner of the ongoing admin of the website, it is better to sign up with the owner's email!)
    • Here's my page on how to sign up and configure Cloudflare.


    • You can see i really like using CloudFlare, but i'm now reluctant to formally recommended them since they have become partners with China. On the other hand, who isn't. What to do. [2016]
    • It has also come out that CloudFlare is misusing its proxy capabilities and is not transparent about security of its Flexible SSL. Sorry, links to come. [jun 2016]
    • i am still using it, but not so happily as before. [jun 2016]
  • Set up your website to use https. Click for more

    You can now get a free SSL certificate from Let's Encrypt [2016]
    On many hosts you can install it yourself. Any good host will install it for you.
    Do you really need https for your website? Yes. Yes you do. [2016]
    Some more info about ssl, tls, and https is here

2) Install

Here is The Word:

Making the database ...

  • Be sure that the "xx collation" and "connection collation" are Unicode: Click for more

    Select "utf8mb4_unicode_ci" from the menu. [as of WP 4.2 april 2015]
    No more "utf8_general_ci".
    Read more about this utf8mb4 thing at
    Gory details at here and here

    Find more on Web by searching for: wordpress utf8mb4_general_ci utf8mb4_unicode_ci

Doing the WordPress install ...

Always do:

  • Make 'admin' name something different
    Not your name! Not some word that is part of the website name! Something completely different. With some random numbers in it.
    This can be done right at the install.
  • Put your wp-config.php file in a folder above the web directory.
    more at the Codex
  • Change database table prefix. Never let it be just wp_ .
    You can do this at the install.
  • Make folders non-indexable. There's never any reason someone should be able to browse any folders on your site. Click for more

    Do this in the .htaccess file, with
    Options -Indexes
    and/or add an index.html in each folder that shows nothing, or redirects.
    (I do both — belt and suspenders again.)

  • Make all theme files permissions 644 - only owner can edit. Click for more

    (This means you will not be able to edit them through the theme editor —
    but you shouldn't be doing that anyway.)

    More about permissions in WordPress at

  • Disable file editing in the wp-admin. Click for more
    How to do it? Put this in your wp-config.php file:
    More rant? Sure! Here you go:
    There is *no* reason to be editing theme files or plugins there, and it's just asking for trouble.
    If you are a real developer, you edit and test on your local.
    If you are not a real developer, you shouldn't be messing with these files :).

After install ...

  • Take a full backup — this will be your benchmark for the site. Click for more
    • Once all your plugins are installed, some test content added, and installation is stable.
    • Through ftp (SFTP, right?!) take a backup of the entire WordPress folder (all the files)
    • Through cPanel phpmyadmin take a backup (export) of the entire WordPress database
  • Remove some unneeded WordPress files: Click for more

    they are all in the top-level folder of your site. You can delete them easily through your SFTP client.

    • Remove these three always:
    • If you are not allowing people to register on your site, remove this one:
      (security tip: don't allow people to register on your site)
    • If you are not using the Jetpack plugin, remove this one
      (security tip: don't use Jetpack.)
      (more about XML-RPC at Sucuri) [2015]

    When you do WordPress core updates (which you always do), these files will sometimes be replaced.
    So after update, remove them again.
    Also (belt and suspenders) block access to them in your .htaccess file.
    ref TBD

3) User roles

  • Don't give anybody the main admin password. Never.
  • If you need someone else to do some admin work,
    make a separate account for them, with permissions for only what they need to do. ref TBD
    (My own policy is: Only one admin. Only one person flies the jet plane.)
  • Make separate user accounts for people working on the site, as editor, author, etc.
  • If you are logging in to do non-admin things, use your own non-admin account.
    Use the admin account only to do admin things.
  • When someone leaves, delete their account.
    Assign their posts/pages to another editor account. (Wordpress will prompt you.)

4) Code modifications

  • Remove the word "wordpress", and the wordpress version from your website source code (meta tags) Click for more

    add to functions.php in your theme:
    add_filter( 'the_generator', 'no_generator' );
    function no_generator() { return ''; }

  • Remove the link to WP from the footer (if there).

Puff puff rant rant how lame this isn't security!!!!!!

ok ok, calm your tits -- nobody said these are 100% security measures. Just a couple more little things to remove low-hanging fruit, so that your site will not be as easily known as running WP.
Do you know how much of hacking is just somebody messing around?
Do you know how much of infiltrations is just drive-by, knocking on the door, seeing what's there before they get serious?
You don't?
Ha ha, joke's on you -- me neither!
But there are enough, that this kind of thing is worth doing.

5) Plugins

  • Limit all plugins to the really useful ones, and only from trusted sources.
    Do your research — the information is all there on the Web, just waiting for you.
  • Update your plugins as often as updates come out.
    This is very easy to do from the plugins admin.
  • Keep up with the status of all your plugins
    Plugins go bad just like milk and people do. Click for more
    • Update time is a good reminder to check the page for the plugin on WordPress:
      • Make sure it is still being supported by the author.
      • Check the change log: What was done in this update? Are they things that show attention to detail and security?
      • Check the support forum and see if any problems are reported. And, how quickly does the author respond? How usefully?
      • and like that.
    • Any time is a good time to review if this is still the right plugin for you.
      • Sometimes a plugin is passed on to a different author, who may develop or support in a different direction than the original reason you liked this plugin.
      • Sometimes the author gets "feature-itis" and starts tacking on junk to a perfectly good basic plugin.
      • and like that.

WordPress security plugins:

  • Akismet
    It is already there in the install; It comes with WordPress; It is free.
    Get an account and a key and enable it -- finish. No tension. more about Akismet at
  • Here are the plugins i use to help support my security plan: Click for more

    Stop bad actors:

    • Stop spam and malware through forms and comments: Akismet
    • Block malicious login attempts (suspenders for the belt of ip whitelisting): Limit Login Attempts

    Keep an eye on things

    But this is only an exercise in hand-waving unless somebody looks at their output - often.

    Maintenance more:


    Development, checking after updates, etc, on my local:

    Remember that these plugins are only part of my security posture.

  • If all this is too much for you, at least use an all-in-one security plugin.
    Click for more

    There are several of these "all-in-one" security plugins. I can't say much about them because i gave up on them. You still have to do your research, and learn some things. There is a page giving some information about 5 plugins as of march 2015:

6) Admin

  • Protect your login page: Click for more

    (Another excellent effect of the below methods, is that they also block the bots banging on your login page which slows down — or stops — your entire website. They are stopped by apache, and never touch your wordpress files to run any php or database calls.)

    • Whitelist the ip numbers that will be accessing the admin login. Click for more
      • You do this in the .htaccess file.
      • This is the best way if you only have a few people logging in, and if their ISP ip number(s) don't change much. Even if they do, you can do like i do and just always be available to edit the .htaccess file for any new numbers.
      • I like this way the best — but it requires that the editors understand why they get locked out, and what to do: Call you! Any time.
      • This is one of the very best things i have ever done for websites. I always do it. ( Personally i only admin websites whose owners thank me for doing this — luckily i have that choice :) )
    • Use a plugin that blocks multiple attempts. Click for more
      • I use Limit Login Attempts. There are several others.
        This is a good example of Keeping Up with Plugins, and also of Exception to the Rule :) This plugin has not been updated in 2 years. By the James' Rule, i should find another one. But this is still the only simple, effective one, that doesn't do a ton of extra stuff i don't need. And it still works. I'm keeping my eye on it ... [may 2016]
  • Protect your login connection:
  • Keep it clean: Click for more
    • If a file, image, anything, isn't being used on the website, delete it.
    • If a plugin isn't being used on the website, delete it.
    • If an account isn't being used in the admin, delete it.
  • Know your website: Click for more
    • Be familiar with what folders belong with WordPress, and with your theme and plugins. If you see something that looks unfamiliar, check it out.
    • Keep an eye on the error logs, file monitor reports, website pages, while things are good, so you will be alert for something going bad.
  • Forums, comments, user registration are like drugs: Just don't do it Click for more
    • Don't have commenting or forums on your site unless you or site owner is prepared to put a *lot* of time into moderating.
    • Allowing automatic user registration is like standing on the street holding your wallet open and saying "come and get it".
  • Don't "try" things on the live site. That's what your local install is for.

7) Backup

Ok sooner or later, we will get hacked ↓. So? you have a backup, right? Right???

But to restore, we need to already have those database and file backups.

  • Backup your database. Click for more
    • How?
      Manually: In phpMyAdmin, choose your database, click on Export tab. Details are here: [june 2010]
      With plugin: WP DBManager plugin - it backs up your database. [2016]
      (These days that is my favorite one. But again, do your research and find out what is right for you.)
    • How often?
      How much of your content (articles, posts, anything that you do through WordPress) will you be not bothered to lose? I'm guessing - none! So you may want to backup as often as you add content.
  • Backup your uploads and themes folders. Click for more
    • How?
      Manually: sftp your upload directory (images, videos, and other files), current theme directory, and plugins directory to your local machine.
      With plugin - research and find yours. I haven't found one i like these days.
    • How often?
      How much of your file uploads and theme changes will you be not bothered to lose? I'm guessing - none! So you may want to backup as often as you upload files or make stylesheet or other theme code changes.
  • Keep your backups safe. Click for more
    • Keep copies in two or three safe places.
      (There's a saying "If you don't have at least 2 copies of data — you don't have any data.")
    • And not on your server!
      Hackers love you when they find them there.
    • In the "Cloud"?
      I dunno. Would you put all your private information on my computer? No? The "Cloud" is just somebody else's computer who you don't even know.

8) Clean up a hacked website

Omigod! you got hacked. Relaxxxx. You have a backup, right? Right??? Click for more

more more more

Thanks to a question from a long-time colleague / security expert, i was moved to spew out a bunch more of my deathless words about securing your WordPress site. I need to incorporate it above, but until i get time to do that, here it is, all naked and raw, just the way you like it: Click!

 Stuff like this just means i did get it copied into the main page.

 Hello all! 
 Please turn off all devices, locate oxygen masks, and fasten seat belts.

 I have not coded any custom security plugins.
 As we all know, there isn't any magic wand to wave to protect a website,
 anymore than there is a magic pill to take for crossing the street
 or maintaining your house or car.
 It is a matter of knowledge, experience, and common sense. The things
 that work and are comfortable for me to do, might not be right
 for someone else.

 Given that, the first things to do to protect a website are unexciting
 and unromantic, and that's why we don't do them. and 90% of the time,
 are why we get hacked:
    1. Always update - wordpress, plugins, everything on your own computer.
    2. Always have good passwords.
    3. Take backups often. If website is updated daily, backup daily.
    4. Use secure computer and secure connection.
 Boooooring!  Yup.  :)  If you don't do these things, don't even bother
 to do anything else. Just give it up.

 And there's more:

 Here's a couple more things i should add to that page:
    * yes i swear by whitelisting ip numbers for login,
         and i don't work for any org/person who doesn't want to do that.
         My side of the arrangement is that i have to be available any time
         day or night, (quickly and uncomplainingly!) to add an ip so
         someone can work.
    * Use captchas on all forms, commenting, etc.
    * Never allow unmoderated comments or forums.
    * Never send passwords in email.
    * Know your website. Know what files, plugins, etc, are supposed to
          be there. Know what is normal behavior for your site and plugins,
          normal access patterns, etc etc etc.
    * If you are not using a theme or plugin or whatever, delete it.
          Any unused files on your website? Delete them.
    * Install and updates (wordpress, plugins, new code) on local machine site
         and check before doing on live site.

  Bigger pictures:
    * Keep up with what is going on in WordPress world.
    * Keep up with the status of all your plugins - plugins go bad just
          like milk and people do.
    * Research all your plugins carefully - has good info on
           what to look for in a plugin.
    * Keep up with your web tech knowledge. Things are always changing.
         It's a full-time job. WordPress forums and codex, many good WP sites,
         and searching the Web itself are awesome resources.
    * If you develop code (customise themes, write functions, etc) for
          your site, think security first. If someone else is writing code
          for your site, check that they think security first. If not, out.
    * Have a procedure for your organisation for keeping all website and
           related info (passwords, services etc.) and procedures
           (what to do when site goes down, how to contact hosting support,
            where are the backups and how to restore, etc etc.)
    * Never keep sensitive information in the damn "Cloud". that pretty much
       means any information. That also means any "cloud" - email, facebook,
       google sucks uh i mean docs, all those things. Please please don't.
    * Run scans on your site periodically. Some hosting have clamscan you
          can run through the cpanel. You can run wp-scan from your own
          computer. If you are on dedicated server you can run scanners
          from there. Remember that an internal scanner (like clamscan)
          looks at different things than an external one (like wp-scan).
    * When your site gets hacked (notice there is no "if", only "when")
          put in maintenance mode/disable public access immediately.
          Contact the hosting so they can check it and find anything
          that might be threatening the whole server.
          Then don't just fix the piece that got infected. 
          Take the whole thing down and rebuild it. 
            You have backups, and you have local copy. right? 
            easy to rebuild, and a good cleanup exercise as well.

    * With all great respect to the awesome knowledge of people like 
        null (here in India), Metalab, various individuals, etc -- 
        their knowledge isn't what we need to secure our sites, any more than 
        knowing about engine cylinder size, bore and stroke, detailed 
        stopping distances is useful to us for crossing the street safely. 
        We need a different set of knowledge, and IT IS ALL THERE ON THE WEB, 
        CRYING FOR YOU TO USE IT. I am no genius. Everything i do, and 
        everything i am telling you, i learned there.
    * There is no such thing as "free". You wouldn't have a volunteer
           accountant, and you shouldn't have a volunteer webmaster.
           If your organisation has a car, you don't expect it to run forever,
            and you don't expect any idiot on the street to fix it.
           You have a good mechanic and you take it regularly.
           Get a good webmaster, put them on staff, and *pay them*.
     * "Always" and "never" really do mean "always" and "never".
          If you only look both ways before crossing the street 
          "when you have time" or when you are in the mood ... 
          you're gonna have a bad time.

 Woh. that turned out more than a couple. well there we are.

 Oh wait. You wanted plugins. ok.
 I use these plugins to help support my security plan:
    akismet (spam stopper)
    error log monitor (and look at it).
    limit login attempts (suspenders for the belt of ip whitelisting)
    server monitor (watch the patterns)
    wordpress file monitor plus (sends mail every time any file changes)
    wp updates notifier (sends mail when anything needs updating)
    easy pie maintenance mode (quickly "close" the website)
    wp dbmanager  (for automatic database backup)

  The monitoring plugins can show you what's going on, but are only
    another exercise in hand-waving unless somebody looks at their
    output - often.

   On my local machine for development and for checking updates etc:
      debug bar
      debug info
      theme check

 I am a big fan of Cloudflare (proxy/cdn), but now reluctant to
 formally recommended them since they have become partners with China.
 On the other hand, who isn't. What to do.

 That's my strategy. There is no one size fits all. This way works for me
 as someone who lives in text files, who is 24/7 involved with Web and
 real functioning websites, and who has background in web servers
 and programming. If this mix-and-match strategy doesn't work for you,
 research the monolithic WordPress security plugins and use one. You
 will learn from that too  :)

 If these things are too much for you, hire an admin for your website
 (preferably Tibetan. Yes they exist. If you can't find one, train one.).
 Give them their own space and a good computer and good connection.
 Pay them well, leave them alone and let them work.

 If "it's too hard", "it takes too much time", "it's too complicated",
 i have some news for you, from over 20 years of web-making:
    websites are hard. websites take a lot of time. websites are complicated.

 Communication is the most massively powerful and wonderful thing we have
 as human beings, and for Tibetan cause and for dharma, and the Web is
 the most massively powerful thing we have today for communication.
 The more powerful something is, the harder, more time-consuming,
 and more complicated it is. No duh.

 thank you.

Know more

It is a matter of knowledge, experience, and common sense. The things that work and are comfortable for me to do, might not be right for someone else. Keep trying, keep learning, and find out what works for you. Gaston didn't perfect his moves by sitting in his chair!

Here are all the links given throughout this page, plus more, in a nice long organised list.
(Note: Links on this page may be What does "outdated" mean? In the world of Web building - more than 6 months old. Maybe less!outdated. Click for more )

But realise this is true of every resource. You always need to verify for yourself.
Sometimes i have included an old link because it is basic, good information that is explained well. But sometimes it's because i haven't checked in a while! So ... you always need to verify for yourself.

The best info about protecting your WordPress:

More about protecting your WordPress

WordPress plugins

General WordPress

General Web programming security

The better you understand Web and programming in general, the better you will be at protecting (and building!) your WordPress sites.
Or another way: These are the things that the programmers of WordPress and your plugins should be doing.

james things

Here is ALL the things: entire WordPress Security directory, entire WordPress directory, and my WordPress bookmarks at Pinboard

And here's that Gaston i keep talking out! -- how you feel when you are a real security pro.

View post on

  1. Summary - protecting your WordPress site
    WPMUdev. with video [jan 2014]
  2. A WordPress site that keeps getting broken into.
    WPMUdev [apr 2016]
  3. Security an eternal struggle, a process that is kept up each and every day.
    WPWhiteSecurity [may 2016]    → Sucuri [nov 2014]

rock on!

It would be great to have Tibetan and Chinese translations of this page. Can you help? Contact us!