10 WP security tips meme

10 Basic WordPress Security Tips for Free

So you just installed WordPress? Here are my Top 10 Basic WordPress Security Tips for Free. Because I am cheap. And so are you. These tips mostly apply if you installed WordPress on your own, and have permissions to modify files on your host.


  • PHP 5.3+
  • Apache 2.2+


Top 10 Basic WordPress Security Tips Really Free

First Rule: Install the Latest Version

Always use the latest version of any CMS your may come to use. Latest version as of December 2017 is 4.9.1

Download WordPress Latest


Second Rule: Install WordPress in a sub-directory

Why on earth would you unpack WordPress at the root of your host drive? One day you will add more stuff, more directories etc, and everything will be messed up. Keep things neat and create a sub-directory to unzip WordPress in.

Then configure your domain provider to point to this directory.


Third Rule: Setup Strong Admin Access rights

  • Use another login than admin or dba for your database
  • Use a strong password for your MySQL database
  • Use another login than admin for WordPress
  • Use a strong password for your admin user

What is a strong password?

After competing for the NCL Fall Season 2017 hacking challenge and cracked many password hashes, I learned one crucial thing about passwords: only the size matter. Don’t listen to roukers and beat yourself with complex, L33t stupid passwords. Anything lower than 16 characters is crack-able easily with a good GPU once you put your hands on a database dump.

A strong password is actually 16 characters or more. That’s it.


It’s usually only possible to set up 16+ characters passwords if you setup MySQL and WordPress yourself. Hosting services such as Ipage for instance, will limit you to 14 characters or less.


Fourth Rule: Install Essential Plugin Jetpack

10 Basic WordPress Security Tips

Bring the power of the WordPress.com cloud to your self-hosted WordPress. Jetpack enables you to connect your blog to a WordPress.com account to use the powerful features normally only available to WordPress.com users.

It also provides a basic Malicious Login Attempt blocker.


Fifth Rule: Install Essential Plugin Code Snippets


An easy, clean and simple way to add code snippets to your site. No need to edit to your theme’s functions.php file again!

You will need this to secure your login page.


Sixth Rule: Install Akismet Anti-Spam

Used by millions, Akismet is quite possibly the best way in the world to protect your blog from spam. Your site is fully configured and being protected, even while you sleep. Akismet blocks 99.9% of spam from reaching your blog.


Seventh Rule: Install A Firewall


Your choice among:

Firewalls monitor suspect activities and limit login attempts. Wordfence is more spread but I feel like AIO WP Security offers a lot more options.


Eighth Rule: Disable Login Hints

Add this code Snippet to replace the  Login Error – Username does not exist and any other messages from popping up on your login page. Use a custom message.

function no_wordpress_errors(){
  return 'Go fuck yourself!';
add_filter( 'login_errors', 'no_wordpress_errors' );


This is optional since both Wordfence and AIO WP Security offer this option as well. However this is a cheap trick that works all the time without a firewall. Also if you disable Wordfence for any reason, this snippet will still be there.

Note that it will be executed before any other plugin, so you have to decide by yourself what you prefer.


Ninth Rule: Security With .htaccess Files

Certainly the most important but it’s better to do it once everything is installed and working fine.

  1. Verify your WordPress Main .htaccess
    File: /yourWordpressSubDir/.htaccess

    Some plugins add their own rules on top of the file, and I consider this a bug. The WordPress rules must come first. Always. Make sure the file contains these lines at the very beginning:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress
  2. Secure Your wp-admin Directory
    File: /yourWordpressSubDir/wp-admin/.htaccess

    if you do not plan to have users login to your site. Thus, deny the access to wp-login.php entirely!
    Enable .htaccess directory protection for /yourWordpressSubDir within your hosting provider: this adds another login/password layer.
    You can also block any IP from accessing the login page, and white-listing your own:
    # Begin password protection #
    AuthName "Super Security"
    AuthUserFile "/full/path/for/your/hosting/yourWordpressSubDir/wp-admin/.htpasswd"
    AuthType basic
    Require valid-user
    # End password protection #
    # IP blockade
    order deny,allow
    deny from all
    # whitelist my IP addresses
    allow from <- here your home IP address
    allow from <- here another   IP address..
    # End IP blockade

Bonus Rule: Free Geoblock via .htaccess

The root .htaccess can certainly be used as a geoblock firewall. Wordfence provides this but… Country Blocking is only available to Premium Members. Indeed. 100% Free they said. This is an obvious violation of WordPress plugin guidelines.

Bellow is a free geoblock solution for Apache via .htaccess:

  1. Get a list of IP ranges to block the countries you want to ban from accessing your site at ip2location.com
  2. Paste them in your root .htaccess file
  3. Enjoy

You don’t need to block half the planet, just choose wisely which countries you hate the most. Muahhahaha


To be efficient, these IP lists must be updated every months. Why? I have no idea. Available IPv4 ranges are pretty much all gone. There may be new small ranges appearing here and there, but nothing fancy like reallocation will ever happen. I do not update mine.


Security is YOUR business. As a wannabe webmaster, it is YOUR responsibility to keep your data safe.


2 thoughts on “10 Basic WordPress Security Tips for Free”

Leave a Reply

Your email address will not be published. Required fields are marked *