WordPress Security Hacks Part Three.. | Tutorial Freak – Online Tutorials

WordPress Security Hacks Part Three..


Part Three: 8 to 10..

8. Remove Your WordPress Version Number… Seriously!

The problem

As you may know, WordPress automatically displays the version you are using in the head of your blog files. This is pretty harmless if your blog is always up to date with the latest version (which is certainly what you should be doing anyway) But if for some reason your blog isn’t up to date, WordPress still displays it and hackers will learn this vital piece of information.

The solution

Paste the following line of code in the functions.php file of your theme, Save it, refresh your blog, and voila no more WordPress version number in the header.

remove_action(‘wp_head’, ‘wp_generator’);

Code explanation

To execute certain actions, WordPress uses a mechanism called “hooks” which allow you to hook one function to another. The wp_generator function which displays the WordPress version is hooked. We can remove this hook and prevent it from executing by using the remove_action() function.

9. Change The Default “Admin” Username

The problem

Brute force is one of the easiest ways to break a password. The method is simple, try as many different passwords as possible until the right one is found. Users of the brute force method use dictionaries which give them a lot of password combinations.

But knowing your username certainly makes it easier for them to guess the right combination. This is why you should always change the default “admin” username to something harder to guess.

Note that WordPress 3.xx let you choose your desired username by default, Therefore, this tip is still usefull if you still use the old “admin” account from older WordPress versions.

The solution

If you haven’t changed the “admin” username yet simply run the following SQL query to your database to change it for good. Don’t forget to specify your desired username.

UPDATE wp_users SET user_login = ‘Your New Username’ WHERE user_login = ‘Admin’;

Code explanation

Usernames are stored in the database. To change one, a simple UPDATE query is enough. Note that this query will not transfer posts written by “admin” to your new username.

10. Prevent Directory Browsing

The problem

By default, most hosts allow directory listing, So, if you type www.yourblog.com/wp-includes in the browser’s address bar you’ll see all of the files in that directory. This is definitely a security risk because a hacker could see the last time that files were modified and access them.

The solution (Updated)
Just add the following to the Apache configuration or your .htaccess file:

Options -Indexes

Code explanation

Please note that it’s not enough to update the blog’s robots.txt file with Disallow: /wp*. This would prevent the wp-directory from being indexed, but will not prevent users from seeing it.


Pro Photographer, WebMaster & Writer.. Please follow us on Facebook

KeithM.. – who has written posts on Tutorial Freak – Online Tutorials.

Help keep us alive & kicking, we need coffee 24/7, please donate, thanks!

Leave a Reply

error: Content is protected !!