Basic WordPress Security

I run several WordPress sites which have not been updated for ages. None have been hacked.

I feel the need for a new blog post…. 

WordPress Security

I do this for all my sites and the only time I have been hacked was when I installed an image uploader plugin which had a vulnerability.


Pick your plugins wisely. Many plugins, and also some themes, can carry vulnerabilities. Often the problems are caused by a small part of the plugin or theme. While the core plugin may be fixed / patched, plugins which use the core files are often left out of date and vulnerable.

TimThumb is a good example of this. The actual TimThumb plugin (a php image resizer) is safe now, but older plugins and themes which used the original TimThumb code are still open to hackers.

Avoid plugins which have not been updated for a long time, especially those which allow users to uploaded or edit content. Image uploaders are common problem.

Whitelist Your IP

Add a .htaccess file to your wp-admin directory with the following (IP addresses are made up, you should change these to your own):

<Files ~ “\.(php)$”>
order deny,allow
deny from all
# whitelist Range of IP addresses – office and home
allow from
allow from

You can also add IP ranges – I do not have a static IP at home, but by adding ranges for my ISP I can still access even when my IP changes.

Leave a Reply

Your email address will not be published. Required fields are marked *