6 More Advanced Ways to Improve Your WordPress Security

March 11, 2016

Welcome to the second part of our series on WordPress security! If you’re not very confident about PHP and changing code files, we suggest you stick with the advice we gave in our first post, as the tips contained in it are more general advice than actual code changes.

All the code snippets below should be placed inside the functions.php file of your theme unless stated otherwise.

1 Use Salt Keys


Salt keys are fundamental to the overall security of your site. They’re long strings of random letters, numbers, and symbols that aid in encrypting your user’s cookies.

They also help protect your passwords from being so easily hacked. A well-encrypted password could take years to hack, whereas a non-encrypted one could take only minutes.

Usually, salt keys are added automatically by WordPress when you install them on your server, but it’s always good to check in older installations. Here’s how:

  • Open up your FTP client (we recommend FileZilla).
  • Connect to your website and navigate to your WordPress install.
  • Double-click the file titled wp-config.php to download it. We advise saving a copy of this file before you make any changes, just in case anything goes wrong.
    In the left pane, right-click on the file and go to “Open”.
  • Scroll down to around line 49, and you should see your salt keys.
  • Important: If any of them say “put your unique phrase here”, it means you don’t have a salt key for that line. To fix this, go to https://api.wordpress.org/secret-key/1.1/salt/, which will generate a new set for you. Now just copy/paste that code into your wp-config.php file where the old code used to be, re-upload to your server and test your site is still working as it did before.

2 File & Folder Permissions


File and folder permissions are essential to keeping your site secure. They’re exactly as they sound, permissions that are granted to give certain users access to certain areas of your website.

The correct permissions for your WordPress install should be as follows:

  • Folders 755 (or 750 if your host doesn’t allow 755)
  • Files 644 (or 640 if your host doesn’t allow 644)

Here’s how to set your folder and file permissions:

  • Open up your FTP client (we recommend FileZilla).
  • Connect to your website hosting and navigate to your WordPress install.
  • Select all folders, right-click and go to file permissions at the bottom.
  • Folders: Type in 755 (or 750) into the text box, check “Recurse into subdirectories”, and then check “Apply to directories only”.
  • Files: Type in 644 (or 640) into the text box, check “Recurse into subdirectories”, and then check “Apply to files only”.
  • Important: It’s paramount that after doing that, you change the permissions of wp-config.php to 600 and .htaccess to 604 as those two need to be different for added security.

3 Hide Your WordPress Version Number


By default, WordPress automatically adds its version number to your theme, and this can be a problem because it lets the more malicious users know exactly how to attack your site.

Each version of WordPress has its security holes, which are quickly patched up, but if someone knows how to hack version 3.2, even though the latest version is 4.1.1, any site still using version 3.2 will be vulnerable.

Here’s how to remove the version number from showing in the source code of your site. Simply add this code to your themes functions.php file:

[php] //—– Stop WP version being generated in the <head></head> tags
function fhoke_remove_version() {
return ”;

add_filter(‘the_generator’, ‘fhoke_remove_version’);

//—– Remove WP version from CSS and JS
function fhoke_remove_wp_ver($src) {
if(strpos($src, ‘ver=’))
$src = remove_query_arg(‘ver’, $src);
return $src;

add_filter(‘style_loader_src’, ‘fhoke_remove_wp_ver’, 9999);
add_filter(‘script_loader_src’, ‘fhoke_remove_wp_ver’, 9999);

4 Move wp-config.php One Level Up


If your WordPress site is in a subdirectory, for example, mysite.com/blog, then you can move the wp-config file one level above it.

Some people will tell you this is a minor thing and not really worth it, but we disagree. An example of why moving wp-config.php one level above the root is when a hacker is trying to search your server for that file; if they look inside the WordPress directory, then they’ll find it if they look, but you’ve moved it like we’re suggesting here, then they’ll have no luck.

How to Move wp-config.php

  • Download the wp-config.php file.
  • Navigate one level above your WordPress install.
  • Paste the file, delete the original inside your WordPress install folder.
  • Test both the front-end and back-end of your site is working, and you’re done. Simple!

5 Secure wp-includes & wp-config.php


A layer of protection can be added to the wp-includes folder (where most of the back-end files are stored) to prevent the scripts there being accessed by any user.

Unfortunately, this technique won’t work very well if you’re using WordPress multisite but will work fine for single installs.

How to secure wp-includes

All you need to do in order to secure the wp-includes folder from being accessed by any user is add the following to your .htaccess file:

[xml] <IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L] </IfModule>

Make sure you paste the code above the line #BEGIN WordPress, as this means it won’t be overwritten if you happen to change your permalink structure at any point.

How to secure wp-config.php

On top of moving the wp-config.php file one level above your WordPress installation, you can also deny surfing of the file by adding the following code:

[xml] <files wp-config.php>
order allow,deny
deny from all

The above restricts anyone who may be searching your server for the configuration file, which is incredibly important as this file controls your entire WordPress installation.

6 Disable File Editing


If you go to the dashboard of your WordPress site, hover over “Appearance”, and go to “Editor”, you can start editing the files of your theme.

The problem with this means a hacker doesn’t even need FTP access to your site, just an account with administrator privileges. It’s a huge reason why you should have a strong password, whether or not you have file editing enabled.

To disable file editing, you’ll need to add this line of PHP to your wp-config.php file:

[php] define(‘DISALLOW_FILE_EDIT’, true);

What Next?

Your WordPress site should now be a lot safer than it ever has been, but there’s still more you can do to keep it safe. Keep an eye out for our next post in this series, where we’ll be going over things like two-factor authentication, how to set it up and which plugins to use.

Remember, not all security issues can be devastating; some can be an inconvenience if discovered. Nevertheless, any type of security measure is worth taking seriously, so you’re always prepared.

You might also want to read 6 Ways to Improve Your WordPress Security.