Close this search box.

WordPress Security Best Practices

Here are my slides from the WordPress Sydney Central meetup on WordPress Security Best Practices.

There are so many easy things that you can do to pimp your security and help avoid being one of those victims who has to foot the bill to get their site cleaned up again.

It was a mammoth session and took about 1 hour and 30 minutes to cover with plenty of others chipping in with their experiences and asking questions.

Thanks, guys – that’s what the open-source community is all about!

Topics Covered

  • Sun Tzu – The Art of War
  • The Ultimate Secure Site
  • Social Engineering
  • Usernames & Passwords
  • Unix File Permissions
  • WordPress Folder and File Permissions
  • WordPress Configuration Files & Securing Them
  • Server Malware & Services To Clean Them
  • Updating WordPress (even for a large number of sites)
  • Automatic WordPress Updates
  • Why You Shouldn’t Use Free Themes & Plugins (torrents especially)
  • How To Check For Malware In Themes & Plugins
  • The Evil TimbThumb Script
  • SSL Certificates, Secure WordPress Logins & Dashboard
  • Software Firewalls
  • Limit Login Attempts (stop brute force attacks)
  • WordPress Backups (free & paid)
  • Security For The Paranoid
  • Two Factor WordPress Authentication (Google Authenticator)
  • Biometric WordPress Authentication (VoxedIn)
  • Moving The WordPress wp-content Folder
  • Protecting wp-config.php
  • SQL/Script Injection Protection
  • Prevent Directory Browsing
  • Secure The WordPress wp-admin Folder
  • Disable The WordPress Dashboard Theme & Plugin Editors
  • Change The WordPress Default Database Table Prefix
  • Be “Big Brother” – WordPress Security Audit Logs
  • Change wp-login.php
  • Change wp-admin Folder
  • Dos & DDoS Attacks

Conversations continued in the pub afterwards.

Zero Point Development helps organise WordPress meetups in Sydney.  Come along for a chat at the next one.

Was this article helpful?

7 Responses

    1. Hey Cath.

      Didn’t mean to scare you! But look at all the lovely security stuff you can do with your site now 🙂

  1. Hello Wil,

    Thanks for sharing this excellent presentation, it’s really very useful.

    What do you think about this plugin: Better WP Security, it does automatically some of the things you show in your presentation, like changing the path to login, enforcing strong passwords…

    Thank you.


    1. Hi David,

      Thanks for the feedback.

      Sorry for the late reply – must have missed the comment notification on this one.

      Yes I’ve used Better WP Security before and it does cover some of the more pressing security issues that a WordPress site will face.

      The good news is that the plugin is being actively updated by Chris Wiegman for iThemes.

      Before using any plugin you should check that it is being actively updated and supported but this is vital for security plugins.

      Today’s secure site can easily turn into tomorrow’s compromised one.


  2. Just wanted to say thank you for a well put together presentation. Due to my lack of preparedness, all my wordpress installs (around 50) were highly insecure and subsequently hacked. My mail relay has been suspended and my server ip has been blacklisted. It’s taken me 3 straight working days of research and action to get my server back to a respectable status. Your presentation was the best thing I came across during my research. Word to the wise: Take Will’s advice BEFORE you end up in a situation like me!