Advanced WordPress Security Tips

in WordPress Tutorials

This is a semi-advanced level tutorial on WordPress security measures necessary to protect your WordPress blog or website from various security threats. It is meant as a follow up to the beginner and intermediate level tutorials I have also written on WordPress security measures.

Why Use More Advanced Security for WordPress

The main reasons for the more advanced security measures are to protect your website from hackers who like to go into popular WordPress blogs and mess around. Whether their goal is to add malware, install spyware, spam or steal valuable & sensitive information, there are ways to circumvent many of the more common attacks. Also, some of the techniques described below are for the everyday WordPress administrator as well, so read on and learn how to secure your WordPress site with this and other security tutorials I have written here on this website.

Most Common WordPress Security Threats

There are a plethora of possible online security threats. Here is a list of the more common ones that I would like to help protect your WordPress blog or website from:

  • Spyware – is a group of security threats that any WordPress developer should take precautions against. Spyware includes Trojan horse, Key Loggers, Adware and Dialers. The main objective of these types of threats is to steal sensitive information such as usernames, passwords, credit card numbers, social security numbers, account numbers, bank information, etc. The list goes on.
  • Malware – is short for malicious or malevolent software. Malware includes security threats that attempt to disrupt your computer’s performance, gain access to sensitive information and access private systems. Malware is often noticeable when an attack slows down a computer or server significantly. If malware is on your server with WordPress, you may recognize a substantial loss of speed on your WordPress site.
  • Spam – is the unsolicited use of space on your website by attackers seeking free advertising that you would never probably otherwise allow on your WordPress site. While these threats are sometimes not as dangerous as spyware or malware, they are a major inconvenience and can negatively affect your WordPress blog’s SEO and your position in search engine rankings. Span is not quality content. These days, search engines rank according the quality and freshness of content on a website. Therefore it is important to illuminate any spam from your blog or website with the use of anti-spamming techniques.
  • Viruses – Viruses are programs inserted into your WordPress server by a hacker who has either inserted a virus in something that you have uploaded to the site or has gained access to the server and uploaded it directly. Some common sources of viruses for WordPress installations can come from working on your WordPress site from an unsecure location such as an internet café, uploading plugins or themes from an untrusted source and leaving your server vulnerable to attacks. Viruses can either start working immediately to damage your server or some are set to be activated at a later date in order to mask where they came from. It can be nearly impossible to determine the source of a virus if it is activated weeks or months after you have been infected by it.

Avoiding Attacks through URLs

One of the more common ways that hackers gain access to your WordPress files is vial the browser’s address bar or by inserting variables in a URL via a script, usually in PHP, but often in other programming languages. No matter how they insert the malicious variable into the URL, there are ways to avoid these types of attacks. One way I would like to demonstrate has to do with blocking various strings in URLs via the .htaccess file. Make a list of strings hackers commonly use to gain access to your site and write rules into your .htaccess file. Here are some rules that could help. Please note that some of them may break functionality in some WordPress sites, so be sure to test thoroughly after implementing these changes in your .htaccess file. Apply the following rules to the .htaccess file in your root directory for WordPress.

<fModule mod_alias.c>
RedirectMatch 403 ^
RedirectMatch 403 `
 RedirectMatch 403 {
 RedirectMatch 403 }
 RedirectMatch 403 ~
 RedirectMatch 403 &quot;
 RedirectMatch 403 $
 RedirectMatch 403 &lt;
 RedirectMatch 403 &gt;
 RedirectMatch 403 |
 RedirectMatch 403 ..
 RedirectMatch 403 //
 RedirectMatch 403 %0
 RedirectMatch 403 %A
 RedirectMatch 403 %B
 RedirectMatch 403 %C
 RedirectMatch 403 %D
 RedirectMatch 403 %E
 RedirectMatch 403 %F
 RedirectMatch 403 %22
 RedirectMatch 403 %27
 RedirectMatch 403 %28
 RedirectMatch 403 %29
 RedirectMatch 403 %3C
 RedirectMatch 403 %3E
 RedirectMatch 403 %3F
 RedirectMatch 403 %5B
 RedirectMatch 403 %5C
 RedirectMatch 403 %5D
 RedirectMatch 403 %7B
 RedirectMatch 403 %7C
 RedirectMatch 403 %7D
 Redirectmatch 403 _vpi
 RedirectMatch 403 .inc
 Redirectmatch 403 xAou6
 Redirectmatch 403 db_name
 Redirectmatch 403 select(
 Redirectmatch 403 convert(
 Redirectmatch 403 /query/
 RedirectMatch 403 ImpEvData
 Redirectmatch 403 .XMLHTTP
 Redirectmatch 403 proxydeny
 RedirectMatch 403 function.
 Redirectmatch 403 remoteFile
 Redirectmatch 403 servername
 Redirectmatch 403 &amp;rptmode=
 Redirectmatch 403 sys_cpanel
 RedirectMatch 403 db_connect
 RedirectMatch 403 doeditconfig
 RedirectMatch 403 check_proxy
 Redirectmatch 403 system_user
 Redirectmatch 403 /(null)/
 Redirectmatch 403 clientrequest
 Redirectmatch 403 option_value
 RedirectMatch 403 ref.outcontrol
 RedirectMatch 403 errors.
 RedirectMatch 403 config.
 RedirectMatch 403 include.
 RedirectMatch 403 display.
 RedirectMatch 403 register.
 Redirectmatch 403 password.
 RedirectMatch 403 maincore.
 RedirectMatch 403 authorize.
 Redirectmatch 403 macromates.
 RedirectMatch 403 head_auth.
 RedirectMatch 403 submit_links.
 RedirectMatch 403 change_action.
 Redirectmatch 403 com_facileforms/
 RedirectMatch 403 admin_db_utilities.
 RedirectMatch 403
 Redirectmatch 403 Table/Latest/index.

In the above example, there exists a lot of strings that you may or may not want to use, the best advice I can give you is to try them all and see if your site works as it should. If not, comment them out one by one until you find the ones that are causing issues with your particular WordPress environment.

Limit Access to WordPress Admin

Another good technique to keep unwanted people out of your WordPress site is to lock down your admin area so that only you can access it or only someone from your IP can access it. This can be accomplished by adding the following three simple lines to your admin folder’s .htaccess file. Be sure to add these lines to the .htaccess file inside of your wp-admin folder, not the root folder as in the previous example.

order deny,allow
deny from all
allow from xx.xx.xx.xx //( your static IP)

Preventing WordPress Comment Spam

In WordPress, the most common spam issues are in the post comments. Comments are naturally vulnerable because you tend to want to leave comments open to the public. You may intend to have your readers comment on your posts, but spammers have a whole different plan. They want to simply get their links or advertisements into as many places on the internet as possible. Since WordPress is the number one, most popular blogging system today, spammers attack WordPress comments regularly, making it a pain in the neck for WordPress site webmasters who have to go in and clean out all of the comments. I had one site I inherited from an associate of mine that was getting hundreds of comments with spam every day. There are some rather simple fixes for this that pay off in the long run because you will spend a lot less time deleting spam from your comments with some of the following measures employed.

Using Akismet plugin to prevent comment spam

The first measure against comment spam that is probably one of the most effective preventative measures is the use of the Akismet plugin. The Akismet plugin allows for you to mark certain comments as spam, just like in any popular online email system, and it will eventually learn to block out comments from regular spammers, greatly reducing the number of spam comments you receive. Akismet comes bundled with WordPress, so all you have to do is activate the plugin and do some quick and easy configurations from the admin panel and it will make life a lot easier for you. There is a charge to use Akismet for sites that generate a profit, but if your site doesn’t make any income, then you can use the plugin for free.

Along with Akismet, there are also some built in features in WordPress that help to eliminate comment spam since it is such a huge issue with many WordPress site administrators. The exercises below will explain how to implement some of these features.

Filtering comment spam with keyword phrases

One of the built in spam prevention techniques is the ability to filter out any comments that contain certain keywords or key-phrases. You can make it so that comments are either put into the moderation queue or blacklisted completely according to their contents. Here is how to filter comments by keywords or phrases and have them put into the moderation queue so you can still have a say in whether they get trashed or not:

  1. Navigate to your WordPress dashboard and go to Settings | Discussion | Comment Moderation.
  2. Enter any keywords or phrases you want into the textarea marked “Spam Words”. WordPress will prevent any comments with those keywords from showing up on your blog. Be sure to enter only one keyword or keyword phrase per line. Don’t leave just a blank space in one line unless you want every comment to be marked as spam.

Once you complete the above two steps, WordPress will mark any comments containing the entries you specified for moderation and place them into the moderation queue. The specified Words can show up in the comments content, name, URL, email or IP and it will go into the moderation queue.

Follow these next instruction to filter comments by keywords and have them blacklisted. This is just like the last method described, but the comments will not be put into the moderation queue, they will just be automatically deleted.

  1. Navigate to Settings | Discussion | Comment Blacklist this time.
  2. Enter the keywords you want into the textarea for blacklisted comments. Be careful however because there will be no notification of comments that have been blacklisted according to the filters you set here. It is important to realize that the keywords you enter are matched with similar words or words that contain the keywords as well. Therefore if you blacklist any comment with the word “Ass” in it, you have also effectively blacklisted any comment with the words assistance, assimilate, associate, asses, masses, classes, class, etc. I am sure you can see how this could become problematic if you enter the wrong keywords into the blacklisted textarea. Try to use complete phrases to ensure that no unwanted blacklisting occurs.

One you complete the above two steps to filter comments, they will not go into the moderation queue like in the previous example. They get marked as blacklisted and you will not be notified of the action, so be careful what keyword phrases you enter here. Blacklisted comments are stored in the database for plugins, such as the Akismet plugin described earlier, to learn from and more effectively filter comments. Also, if you had to, you could always go into the database and retrieve any blacklisted comments and restore them manually, but that is not recommended for the novice WordPress administrator of course.

Additional control over comments

Besides the extreme filters described above, there are also more settings in the WordPress admin that offer you more control over what happens with comments on your WordPress blog. You can check one box to make it so that all comments must be moderated regardless of the filters set in the above methods. Then, there is a box you can also check to automatically approve any comments from existing commenters. There is also a setting that allows you to limit the number of links allowed in a comment. This is an important setting to configure because you may or may not want your commenters to have the ability to add several links to their comments. The default setting for the number of allowed links is two, but here is how to change it:

  • Go to Settings | Discussion and scroll down to Comment Moderation and change the value accordingly. You could set it to one, to restrict commenters to a single link which is often appropriate unless you run a blog on Domain names or something similar. Spammers often post a long list of links, so two or even three will still filter out some spam comments in most cases.


There were a few extra security measures described in this tutorial. One thing I have learned from writing about WordPress security lately is that I could go on for days and write a new tutorial every day for months. There are all sorts of security measures possible for WordPress administrators, so pick the ones that seem the most appropriate to your particular situation. It is best to implement as many as possible without hampering the performance of your blog or website. Good luck locking down your WordPress website with the most appropriate security measures for your unique situation.

Comments (5)

  • Comment by Karthikh Venkat
    Karthikh Venkat

    I was using Plugins for securing my WP sites. But these tips are used to reduce my PLUGINS count :) Thanks man :)

  • Comment by Golam Qauser
    Golam Qauser

    Hi IAN LIN,

    Thank you for the post. I would like to know the best security plugins.

  • Comment by Cesar Lee
    Cesar Lee

    Cheers, man, I thought so. I use Akismet myself as well, and it’s the best think those guys could have possibly come up with. Thanks!

  • Comment by Ian Lin
    Ian Lin

    Thanks for your comment Cesar Lee. There is no standard for this, just use your common sense. The main thing that would hamper performance of course is the use of too many plugins, so find a good one or two for security and draw the line. You don’t need a dozen plugins to secure your blog. I user Askimet myself for comment spam, that’s really all I need when it comes to security related plugins. You can do all of the actions described in this tutorial without having to worry about hampering performance. I simply put that warning there for people who get carried away, mostly with the use of plugins, so don’t let it bother you.

  • Comment by Cesar Lee
    Cesar Lee

    Thanks for sharing this with us! A quick question: could you go further on your comment about using as many as possible without hampering the website’s performance? Any specific recommendations on how to focus on a few more efficient measures? Cheers!