Securing a WordPress Blog

Please view this newer article for another method of securing the wp-admin directory from access.

Here are a few tips to securing a wordpress based blog or site:

Change the location of your wp-content directory. This is good for making your site’s source code less discernable as a wordpress blog.

In the wp-config.php file:

define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/wp-content');
define('WP_CONTENT_URL', 'http://example/wp-content');

Change “wp-content” to something else.

Keep in mind that some plugins are not programmed correctly and have hard-coded links to the content directory as “wp-content”, so that could cause issues. If you notice your plugins not working, open the related source files and search for the phrase.


Change the admin’s login name to something besides “admin”
This can be done with something like phpMyAdmin to edit the database.
The user_login varchar(60) field in the wp_users table is the value you want to change.

You should be able to leave the user_nicename and display_name alone.


Password protect your wp-admin folder on the server using CPanel (you will have to login twice, but adds a second layer of security).


Modify your .htaccess file in the index directory to disallow access to wp-config.php

<files wp-config.php>  Order deny,allow  deny from all</files>