All for Joomla All for Webmasters

Advanced WordPress Security Tips

In general WordPress is pretty secure as long as you apply common sense and follow standard security practices. The tips mentioned in this article are for added security (you don’t need to apply them all).

However, if you are in the mood for some advanced tweaking then the following security tips should come in handy ?


Most of these techniques require you to understand what you are doing.

It is strongly recommended that you first test these techniques on a test or development site before applying them to your live site. Doing some of the tips suggested here can break your site if not performed correctly.

We take no responsibility for any mishaps as a result of your efforts in applying the techniques discussed in this article.

Also note that these techniques assume that your WordPress installation is running Apache and you have mod_alias and mod_rewrite installed.

1. Disable HTTP Trace Method

There is a security attack technique called Cross Site Tracing (XST) which can be used together with another attack mechanism called Cross Site Scripting (XSS) which exploits systems which have HTTP TRACE functionality. HTTP TRACE is a default functional feature on most webservers and is used for things like debugging. Hackers who use XST will usually steal cookie and other sensitive server information via header requests.

You can disable the trace functionality either via your Apache configuration file or by putting the following in your .htaccess file:

RewriteEngine On
RewriteRule .* - [F]

2. Remove header outputs from your WordPress installation

WordPress can often add quite a lot of output in your header pertaining to various services. The following code shows how you can remove a lot of this output.

Warning: This can break some functionality if you are not careful. Eg, if you’re using RSS feeds then you may want to comment that line out.

Add the following code to your theme’s functions.php file:

remove_action('wp_head', 'index_rel_link');
remove_action('wp_head', 'feed_links', 2);
remove_action('wp_head', 'feed_links_extra', 3);
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'parent_post_rel_link', 10, 0);
remove_action('wp_head', 'start_post_rel_link', 10, 0);
remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0);
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0);
remove_action('wp_head', 'noindex', 1);

3. Deny comment posting via proxy server

You can reduce spam and general proxy requests by attempting to prevent comments which are posted via a proxy server. Use the code below (compliments of in your .htaccess file:

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

4. Change your default WordPress DB prefix

You may already be aware that WP uses a default prefix value of “wp_” for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.

In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.

Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.

A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:

1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies – one for editing and the other as an original just in case.
3) Using a good code editor, replace all instances of “wp_” with your own prefix.
4) From your WP admin panel, deactivate all plugins
5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
6) Edit your wp-config.php file with the new DB prefix value.
7) Re-activate your WP plugins
8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.


Sometimes plugins add their own prefix after the wordpress prefix where both are identical.

example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.

Be sure when replacing the “wp_” instances in step 2 above that you only replace the first “wp_” prefix and not the one following it.
For instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called “trx_”.

The new name would look like:


Note that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.

5. Deny Potentially Dangerous Query Strings

You can put the following code in your .htacces file to help prevent XSS attacks.

BEWARE: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ../   [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https:   [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ - [F,L]

6. Apply PHP hardening to your system

You can install and enable Suhosin which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.

Suhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)

submit to reddit