11th March, 2015 | Tutorials |

WordPress Plugin, Themes, and Core Security

Using Wordpress? Get our lightening fast Wordpress Optimised Hosting.

Get Wordpress Hosting

##General Plugin Security

Wordpress is easy to extend by adding plugins, and often these can be added to the site with a single click. There are a wide range of plugins available, and there are alternatives to the ones suggested in this tutorial that you may find work just as well, however the ones listed here are the ones we recommend.

Before looking at specific plugins it is important to discuss plugin safety in general. Plugins are one of the most common ways that a hacker can find a weak point in your site. One mistake that a lot of Wordpress users make is to try out several plugins, but then not uninstall or disable plugins that they are not happy with. In addition to possibly leading to conflicts or site slowdown, this can be a security risk. Even popular plugins can be vulnerable to exploits.

###Keep your themes and plugins updated

This is the number one cause of malware and hacking on Wordpress sites. In order to update your plugins you must go to ‘Plugins' and you will see a list of every plugin you have installed. Plugins that have an update available will be highlighted in red like this:

Simply click ‘update now' and the plugin will be updated to the latest version. Occasionally Wordpress or a Wordpress theme will need to be updated, when this happens the notification is usually the first thing you will see when logging into your admin area and will look like this:

As mentioned, it is a good idea to backup your site before updating Wordpress (or sometimes even before updated a theme or plugin). Just in case something unexpected happens, then you can restore a previous version while working on a fix.

###Only use reputable plugins from When browsing for a new plugin it is important to look at the available information that offers.

This plugin has been downloaded 14 million times and has a good rating. It was updated 7 days ago and so is clearly still being developed and worked on, so we can be sure that the developer will fix it if there are any problems or bugs. It is also tried and tested with the newest version of Wordpress.

You should avoid plugins that are labelled as untested with your version of Wordpress (they may be updated soon) and any that have not be updated in a long time. These plugins pose a security risk - they may be using outdated and vulnerable code. You should also consider reading reviews or looking at a plugins support forum before installing.

If you want to use a plugin found elsewhere on the web it is usually a good idea to first look for it in the repository. If it is in the repository it is likely safe and vetted, but if it is not there, or there is not a free version in the repository then it could be problematic and it would be best to avoid it.

###Delete unused plugins

Don't just disable old plugins or plugins that you tried out but didn't want to keep, make sure to completely remove them instead. Even if it's not active it might still be vulnerable due to containing exploitable code - code that hackers or malware can use. To delete a plugin first you need to deactivate it, then you will get a new option for deleting:

In addition to deleting old or unused plugins, you should also delete one-use plugins, plugins that served their purpose but that you do not need to use again or which do not need to remain running (for example the table prefix renamer from the first part of this tutorial). If you need them again in the future you can reinstall them then.

###Monitoring your website security with Wordfence

Wordfence is a great plugin, and one of the ones we recommend using in all Wordpress installations. To get started first go to ‘Plugins' then ‘Add New' in your admin area. Then search for ‘Wordfence'

After clicking ‘Install Now' and ‘Activate Plugin' you will be prompted to enter your email. You should do this so that you will receive email alerts if problems are found. This is very useful, even if you don't log in to your site very often you will not miss out on security issues. You can also take the tour if you like.

####Wordfence Scans

One of Wordfence's most useful abilities is that it can monitor your other plugins for errors or possible malicious code. It does this by comparing the code found in your installed plugins with the code found in the version on If there are any changes, it will email you. The free version of Wordfence (which is sufficient for most sites) will scan once a day automatically, or you can run a scan manually.

First we are going to enable a couple more options, so click ‘Wordfence' in the left bar of your admin area, then click ‘Options'. Scroll down until you see the ‘Scans to Include' section and tick the boxes next to ‘Scan theme files against repository versions for changes' and ‘Scan plugin files against repository versions for changes'.

Scroll down to the bottom of the page and click ‘Save Changes'.

Now we will run a scan manually by clicking ‘Scan' in the left bar. Then click the ‘Start a Wordfence Scan' button. This may take a few minutes, and remember that it will run automatically every day, so you do not need to do this yourself usually.

###Wordfence Alerts

If you get an alert like the one below, here is what you should look for:

This alert has a yellow warning triangle - not as bad as a red alert. A yellow alert is fairly common but it is still essential you take a look at it. The first like is telling me the name of the file that has been modified, in this case it is a htaccess file. A htaccess file is very important for protecting the site, so it is essential that we look at the modifications. We'll click ‘See how the file has changed', and this is what you should do if you get any sort of alert yourself.

In this case we can see it is a false alarm, the version number has gone up by one iteration (look at the line highlighted in yellow). We can close this window and take an action:

We can pick ‘ignore until the file changes' - this means that Wordfence will keep an eye on this file in the future but will not take any action about this particular alteration.

Sometimes you will want to use the other options such as ‘restore the original version of this file' - this will replace your modified file with one from Or you may want to fix the file yourself by editing the code. Sometimes a file may get flagged for an alert that you know is not a problem, maybe a file that you edit regularly, or a readme file. In this case you can safely click ‘Always ignore this file'.

###Critical Alerts

Sometimes you may see an alert with a red cross - a critical alert. This is probably bad news, usually an indicator that site security has been compromised and malicious code has been added to a file:

This example is an alert generated by Wordfence when it has found an eval() function and base64() decoding on the same line. This is a common trick employed by hackers to disguise some executable code - in other words, some code is running on your site that is trying to remain hidden. Although base64() decoding is used by a few legitimate plugins, often this will be code that redirects users to malware sites, code that sends spam, or similar. In any case, this file is likely going to be best removed with the ‘Delete this file' option. It may be necessary to restore a backup of the site at this stage, because infections can be difficult to clear out completely and an uninfected backup is a much quicker and safer method of cleaning the site. If you restore a backup, make sure to set up stronger security this time around, change passwords and follow the other stages in this tutorial.

###Monitoring Live Traffic

Another feature that Wordfence has is the ability to monitor live traffic. For the most part, traffic to your site will be legitimate visitors or bots (such as the google crawler) but there will also be intrusion attempts and DDoS (attempts to overload your server by repeatedly requesting a page). One page we are sure shouldn't have many access attempts is the admin page. To monitor this, go to ‘Wordfence' in your admin area, then ‘Live Traffic'. Then click the tab for ‘Logins and Logouts'. This page shows who has recently tried to access your site's admin area:

If you followed part one of this tutorial you can be sure that all attempts to access the site using the username ‘admin' are not legitimate - and here is the best evidence you can see for why it is a good idea to change that from the default. You can click ‘block' next to the IP address of the intrusion attempt but if you are using log in protection then chances are this IP address will be blocked anyway. Unfortunately most attempts to brute force or DDoS a website will use multiple IP addresses so individual blocks are not very helpful. What is useful though is that you can see any patterns or concerted efforts that come from a single country. If your website is being attacked to the extent that it is affecting its performance you may consider blocking a country temporarily using the ‘Country Blocking' option, however this is only available to premium users.

You can also block a range of IP addresses using the ‘Advanced Blocking' option on the left menu, or you can block the IP address before it reaches your server by using a service like Cloudflare or even our very own wordpress hosting service.

##Protecting your Wordpress Installation with Bulletproof Security

Bulletproof Security is one of the most effective plugins we have found for protecting your sites from intrusion attempts and attempts to modify the site files. It provides a valuable level of protection that works well alongside Wordfence.

To follow this stage of the tutorial first go to ‘Plugins' then ‘Add New' in your admin area. Then search for ‘Bulletproof'.

Click ‘Install Now' and ‘Activate Plugin'. Bulletproof requires a lot of setup, so don't be alarmed at all the error messages and alerts that will appear! We are now going to set up Bulletproof Security to protect the site's htaccess file. This file determines which other files in your Wordpress directory can be modified, and having it set up correctly will ensure that your site cannot be tampered with. The first few steps are optional:

###Optional Step - Author Enumeration Code

(This stage provides extra security when setting up Bulletproof Security but can be skipped if you prefer).

Go to BPS Security in the sidebar of your admin area, then click htaccess core, then click ‘Custom Code' on the tab bar. You will see two options, click ‘Root htaccess File Custom Code'.

Scroll down the page until you find the text ‘CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here' and add the following code to the text area there:

    # Rewrites to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC] RewriteRule ^(.*)$ $1?author=999999 [L]

It should look like this:

You can then save the file, or go to the next optional step below

###Optional Step - XML-RPC DDoS Protection

(This stage can be skipped, but it is a great way to prevent a common type of Wordpress attack, a DDoS that slows the site down or sometimes can cause it to crash).

Go to BPS Security in the sidebar of your admin area, then click htaccess core, then click ‘Custom Code' on the tab bar. You will see two options, click ‘Root htaccess File Custom Code'.

Scroll down the page until you find the text ‘CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here' and add the following code to the text area there - this is the same text box as the previous stage and the code can go below:

    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist your IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.

Order Deny,Allow # Whitelist Jetpack/ Automattic CIDR IP Address Blocks Allow from Allow from Allow from Deny from all

It will look like this:

You can now click ‘Save Root Custom Code' or move to the final optional stage below:

###Optional Step - Brute Force Protection

(This stage adds code that prevents a lot of older brute force scripts completely, but it is optional).

Go to BPS Security in the sidebar of your admin area, then click htaccess core, then click ‘Custom Code' on the tab bar. You will see two options, click ‘Root htaccess File Custom Code'.

Scroll down the page until you find the text ‘CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION:' and add the following code to the text field:

    # Protects the Login page from SpamBots, HackerBots & Proxies
    # that use Server Protocol HTTP/1.0 or a blank User Agent

RewriteCond %{REQUEST_URI} ^(/wp-login.php|.*wp-login.php.*)$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{THE_REQUEST} HTTP/1.0$ [OR] RewriteCond %{SERVER_PROTOCOL} HTTP/1.0$ RewriteRule ^(.*)$ - [F,L]

It will look like this:

Note - If you see a 403 error on your login page when trying to login or logout of your website then you will need to delete this code, as unfortunately it is incompatible with your web server. See the section below on restoring your site.

Once you have added this code, click ‘Save Root Custom Code' and proceed to the next step.

###Step 1 - Create Defaults and Backup

Click BPS Security in the sidebar of your admin area, then click htaccess core and pick the tab ‘Security Modes' then click the button ‘create default .htaccess File'.

You will get a message saying ‘Success! Your Default Mode Master htaccess file was created successfully!'. Next we want to backup the default file by clicking the tab ‘Backup and Restore'.

Tick the box next to ‘Backup' and press the ‘Backup htaccess files' button.

###Step 2 - Create and Activate Secure Files

Click the ‘Security Modes' tab again and then click the button ‘create secure.htaccess File'.

You will get a success message. Then tick the box next to ‘Activate Root Folder BulletProof Mode' and click the ‘Activate/Deactivate' button.

Now the root directory is protected by htaccess and we will do the same for the wp-admin directory. Tick the box next to ‘Activate wp-admin Folder BulletProof Mode' and click the ‘Activate/Deactivate' button next to it.

The site is now protected by Bulletproof Security. If you did the optional steps then the code you added will also be added to the new htaccess files, and you will have additional protection. If you want to go back and modify this code you can do so by editing the Custom Code page (and clicking ‘Save Root Custom Code') and then running through the entireity of Step 2 again.

Locked out of your own site - 403, 404 errors, etc

In the unlikely event that you have become unable to view or access your own site, it is possible to restore your access by using an FTP programme to delete your htaccess file.

###Bulletproof Security and W3 Total Cache

If you use W3 Total Cache (or a similar caching plugin) there is an additional stage when setting up Bulletproof Security, we have included it here for completion but it is not related to website security.

If you see this message upon installing Bulletproof Security and W3 Total Cache together:

It means that Bulletproof is blocking W3 from being able to add code to the htaccess file, code that is used to enable pretty permalinks.

You can fix this by going to ‘Performance' in your Wordpress admin panel sidebar, then choosing ‘Install'. This will show you a page of W3 Total Cache Install instructions. Scroll to the area labelled ‘Rewrite rules' and copy the code from the text area below. This code may vary depending on the options you have set in W3 Total Cache.

Now go to BPS Security in the sidebar of your admin area, then click htaccess core, then click ‘Custom Code' on the tab bar. You will see two options, click ‘Root htaccess File Custom Code'. Scroll down to the section labelled ‘CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE:' and paste the code into the text box like so:

Note: your code may look different than the code pictured here.

Next go to the bottom of the page and click ‘Save Root Custom Code'. Now you will need to follow Step 2 - Create and Activate Secure Files from the tutorial section above, this will create an updated secure htaccess file that includes the W3 Total Cache permalink code.

The error message can now be dismissed by clicking ‘Hide this message'.

##Conclusion You should now have a much more secure Wordpress installation which should (in theory) resist most attacks. Don't forget that nothing is gauranteed - by following this guide you will have gone a long way into stoping the most generic and common attacks, but it's impossible to cover everything as every Wordpress installation is different. If you do find yourself hacked after following this tutorial then the chances are you have a very security flawed component in your instalation, such as a theme or plugin. We always reccomend installing from fresh after being hacked as you never know what backdoors have been left behind.

Using Wordpress? Get our lightening fast Wordpress Optimised Hosting.

Get Wordpress Hosting