Wordpress Hardening Guide

  • April 14, 2013 by Tech #1
​At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website.  These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).

Please follow below instructions to harden your wordpress:


Step 1: Create the Password File
Create a file named .wpadmin and place it in your home directory, where visitors can't access it. (Please note there is a period preceding the wpadmin in that file name.) 

EXAMPLE: /home/username/.wpadmin 
(where "username" is the cPanel username for the account.)

Put the username and encrypted password inside the .wpadmin file, using the format username:encryptedpassword

EXAMPLE: john:n5MfEoHOIQkKg 
(where "john" is a username of your choice, and the password shown is encrypted.)

Option A: Generate Password File & Uploading Via File Manager

One way to do this is to generate the file using the website linked below, and then upload it to your site via FTP or File Manager. In the directions below, we will use File Manager, but you could use FTP instead, for those of you familiar with FTP.
  1. Visit: http://www.htaccesstools.com/htpasswd-generator/
  2. Use the form to create the username and password.
  3. Login to cPanel in another window or tab.
  4. Click on File Manager.
  5. Select Home Directory.
  6. Check Show Hidden Files (dotfiles) if not already checked.
  7. Click on the Go button.
  8. Look for a .wpadmin file.
    • If one exists, right click on it and select Code Edit to open the editor. Click on the Edit button to edit the file.
    • If one does not exist, click on New File at the top of the page, and specify the name as .wpadmin (with the dot at the front) and click on the Create New File button.
  9. Paste the code provided from the website in step 2.
  10. Click on the Save Changes button when complete.
You can Close the file when finished. 


Step 2: Upgrade to latest version and install security plugin
Please go to your wordpress and upgrade to latest version. When possible, install security plugins like Secure WordPress, WP Firewall 2, Stealth Login, Exploit Scanner, Timthumb Vulnerability Scanner, WP Security Scan, etc. 

Step 3: wp-config.php set permission to 400
For all the config in wordpress, the permission must be 400.