Imposing SSL and Other Tips for Impenetrable WP Security


Internet security has always been as important as your personal security. If you are making money through your blog or website, the security of your website becomes as critical as securing your bank account. Luckily, WordPress strives to ensure better security with every new version. Besides, there are plenty of plug-ins you can use to fortify your website or blog’s security.

However, not all users, including developers, are as security savvy as they can and should be.

The most interesting part is that optimizing a WordPress blog/website for better security requires only small tweaks, most of which are previously covered in one of our posts. Today, we share a few more interesting and effective tips to help you secure your website/blog against information theft, breaches, intrusions and interception.

Enforce SSL Usage

SSL or Secure Sockets Layers are cryptographic algorithms that are used for securing communication over the internet. It is a widely used protocol especially on ecommerce websites. The good thing is that while securing your blog or website, you only need a little technical knowledge. With SSL implemented, hackers and intruders fail to eavesdrop, tamper or forge the data even if they are able to access it. It may sound like an exaggeration but many developers do regard it as the epitome of internet security. Not to mention, an SSL certificate will make your website/blog appear more credible and trustworthy even for users who aren’t tech savvy.

The bad news is, only a few hosting services such as WP, WebHost or HostGator allow you to use SSL. So, make sure your host allows SSL as well. Once you have checked with your host, consult them and acquire an SSL certificate. Now follow these steps to force SSL on your website.

Open the wp-config.php file from the files directory. This is the most important configuration file in the whole directory. Once opened, paste the following piece of code in the wp_config.php file.

/* Enable SSL Encryption */

define(‘FORCE_SSL_LOGIN’, true);

define(‘FORCE_SSL_ADMIN’, true);

Save and close the file. SSL encryption is now enabled on your website’s administration area. The admin area will now load with ‘https’ instead of ‘http’. Since most websites require confidential information to be used only in the admin area, enabling SSL for the frontend is not necessary.

Protection Against Script Injections

SQL injection has become one of the major threats to websites today. In script injection, attackers inject a piece of malicious code into user input variables that are later parsed and executed by the SQL server. Even a single infected page can make put the whole website at risk and might corrupt all the data.

In order to protect your website/blog against such attacks, you must protect PHP GLOBALS and _REQUEST variables. You can do so by following these instructions given below.

Open the .htaccess file located in the files directory of your WordPress installation. Now paste the following code.

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

This code will check the incoming request for any script that attempts to modify the value of PHP GLOBALS or _REQUEST variables. If an attack is detected, the code will block the request and return a 403 error.

An important point to mention here is that editing the .htaccess file is not recommended until you are absolutely sure you are doing it the correct way. If you edit the file incorrectly, custom pages will be set up on your site or the URLs will redirect to another location. In some cases, you may not even be able to access it anymore or corrupt your entire database. However, if you have a backup of the file and your database, then you can edit it without any worries.

If you are using a nginx server, then you’ll have to make use of other methods to secure your site. This is because .htaccess file is not supported by nginx server.

Protection Against Content Scrapers & Hotlinking

Content has always been the king but with Panda and Penguin, content has become ever so important. Your content is always at a risk of being plagiarized by others. This holds true for all types of content including text and images. Content scrapping also involves image hot-linking, which in turn weakens the server’s bandwidth.

The truth is, only a few people put enough effort and dedication to generate high quality original content. If you have gone through all the hard work, you must protect your content against scrappers. Do this by following the following procedure.

Open the single.php file and get to the line where the title is displayed. All you need to do is to replace that line with the following code.


<a href="<?php the_permalink(); ?>"><?php the_title(); ?></a>


This code puts a link on your post’s title. Therefore, when the scrappers use your content along with that title, there stolen post will actually link to your post automatically.

For hotlinkers, create an image by the name of nohotlink.jpg and upload it to the Images folder.  Open the .htaccess file and paste the following code. Before doing this, you should place the image in the Images folder.

RewriteEngine On

#Replace ?mysite\.com/ with your blog url

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

#Replace /images/nohotlink.jpg with your "don't hotlink" image url

RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

The hot-linking website will now display any image you have named as nohotlink.jpg. Once again, do this with extreme care and make sure you have necessary backups because editing the .htaccess file can be risky.

WordPress Updates

One of the best and simplest ways to secure your WordPress site is to regularly update your software. Like any other program, WordPress often configures security measures, and releases new updates.

Protection against Brute-Force Attacks

WordPress puts no restrictions on the login attempts if a wrong password is provided. However, unlimited tries makes it easier for a hacker to crack the password, and gain entry. Therefore, you should limit the number of login attempts. To do this, download the plug-in available on the WordPress site, and extract it to the wp-content/plugin directory. The plug-in then can be activated from the admin interface.

Strong Passwords

The easiest rules of securing are often forgotten among the so many advanced ways to do it. Most the people have the habit of implementing the toughest procedure first instead of the simplest. Same is the case with the passwords you set for your admin account. Try to choose a complex password which is alphanumeric, and contains punctuation marks as well. Also, change the username of the ‘admin’ account to something else.

Login Errors

WordPress displays errors of an invalid username or wrong password if the login details are incorrect. This should be disabled so that hackers cannot track their progress. This can be done by writing the following line in your functions.php file.

add_filter(‘login_errors’, create_function(‘$a’, “return null;”));

Database Prefix

The prefixes of all databases are the same by default, and so they are known to others. You should change them in order to increase security. This can be done by adding the given line to the wp-config.php file.

$table_prefix = 'wp_a123456_';

File Permissions

Just like databases, file permissions are also the same for all users until you change them. You should add the give line of code to all files to prevent unwanted access.

chmod who=permissions filename

Theme and Plug-in Editor

The theme and plug-in editor should be disabled so that no one can modify your content. Open the wp-config.php file, and paste the following line.

define('DISALLOW_FILE_EDIT', true);


Internet security, as is proved time and time again, is of the utmost importance and too many people don't take it seriously enough. The steps provided here are simple, yet make for a more secure environment. Let us know in the comments below of any further simple and effective security tips you use.

Related Posts
  • Code
    New wp-config Tweaks You Probably Don't Know8 new wp config tweaks you probably didnt know about 400
    The wp-config.php file: One of the most loved WordPress feature for some, one of the worst nightmares for others. There are countless tips and tricks in a plethora of articles, and you can't get enough of them; however, this article is aiming to be different. In this article, we're going to get familiar with eight new wp-config tricks that are less known than functionality such as turning off post revisions, increasing the memory limit, or other similar features.Read More…
  • Code
    Web Development
    How to Use New Relic With PHP & WordPressRelic retina preview
    Today we will look at how to monitor a PHP application using New Relic. More specifically we will set up a basic WordPress installation and get some performance data about it, in the New Relic dashboards.Read More…
  • Code
    Web Development
    Securely Handling User's Login CredentialsSecure wide retina preview
    Consider the following tips on how to properly secure your user's login credentials.Read More…
  • Code
    Preventing Code InjectionCsrf dotnet retina preview
    Often, websites seem to exist primarily to put something into a database in order to pull it out later. While other database methods, such as NoSQL, have gained popularity in recent years, data for many websites still resides in the traditional SQL database. This data often consists of valuable personal information such as credit card numbers and other personal information of interest to identity thieves and criminals. Hackers therefore always look to get this data. One of the most common targets of these attacks is the SQL databases that lie behind many web applications through a process of SQL Injection.Read More…
  • Code
    Client-Side Security Best PracticesSecurity best practices retina preview
    Thanks to HTML5, more and more of an applications' logic is transferred from server-side to client-side. This requires front-end developers to focus more on security. In this article I will show you how to make your apps more secure. I will focus on techniques that you may not have heard about, instead of just telling you that you have to escape HTML data entered in by users.Read More…
  • Code
    Conquering the wp-config.php File - 11 Good PracticesThumb 200
    There are 981 files and 95 folders which come with the WordPress (v3.4.1) package. None of these files need manual modification, except the wp-config.php file. Of course, we don't have to edit the file if we're fine with the default WordPress configuration but it's essential that we learn how to conquer the file in order to apply security precautions, speed tricks and other stuff which we will be studying in this article.Read More…