Your passwords and cookies are stored with salts applied. Salts are strings of data that are kept secret, and hashed together with important data so that it's harder to guess. This way a hacker can't just run through every password and generate a rainbow table of all possible results and brute force every website. Instead they need to generate a new table for every site they target after acquiring the secret salts used. There is an API to provide salts and secret keys at, which you can then copy paste into your wp-config.php.


When outputting data, you should escape it. For example, if you output a css class, you should use esc_attr, otherwise, an attacker could sneak in the value classname"><script>alert('hello');</script><span and run arbitrary code on your site.

An important part of escaping however, is to escape as late as possible. If you escape a variable once, then use it 5 times, that variable may be modified at any point between escaping and output, so always escape at the moment of output.

  • Sanitise early

  • Escape Late

  • Escape Often


In the days of MySpace, a user could add an image to their profile, and set the src tag as /logout.php. Any user who visited their profile would be immediatley logged out. This is an example of a CSRF attack or Cross Site Reference attack.

In order to get around this, we use nonces. Nonces are small tokens that can be passed around to validate an action. For example, a form may contain a nonce, which is then checked for when processed. This makes sure that all form submissions came from the form, and not a malicious or unintended script.

@todo: Add notes on how to use nonces effectively

Note: In the United Kingdom, a nonce is a name for a child sex offender, be careful of using the word out of context

The Location of wp-config

  • You can move it one level up so it's not in a web accessible location

Table prefixes

  • Don't use the default wp_

  • Notes on automated attacks

User ID 1

  • Don't call it 'admin'

  • Don't give it administrator priviledges

Roles and Capabilities

  • What they are

Removing vs Hiding Settings Pages

  • Hiding things with CSS doesn't make it secure

  • People have dev tools too

  • Automated tools ignore CSS

  • how to remove admin menus and change the capabilities needed to do things

Custom Password Reset Code

  • Some people write their own password reset facilities. This is bad

  • If you really must, make it a forgotten password link, don't make it actually show your password


There are a lot of feel good security fixes that float around, that do nothing to help your security, waste your time, and sometimes increase the risk. Here are a few:

Hiding the Admin and Login URLs

  • Some people try to change the admin and login URLs in hopes it will fool attackers and automated tools

  • WordPress adds in /admin/ and /login/ rewrite rules in the newer versions so moving the files is pointless

  • It can break some functionality in code without necessary care

  • Trying to go to the admin URLs will redirect you to the changed login URL anyway, and if you fix that then the modal box that shows in the admin screen when your session expires will be broken too

Deactivated Plugins & Themes

  • Because of how PHP works, deactivated plugins can still be hit from a users web browser

  • Badly written plugins might do things if the right URL is loaded, even if they're not activated. This is especially true of plugins with their own AJAX endpoints that don't use the WP AJAX API.

Recovering From Attacks

  • Take and use regular backups

  • Download a fresh copy of WordPress and extract it over the top of your existing install to make sure that WP Core is unmodified

  • Check your plugins and code against version control

Last updated