WordPress Security: FTP – a Door That’s Often Left Open

I read an interesting article on WordPress security today on a new site that Jack Humphrey pointed out:


A lot of attention is quite rightly focused on securing your WordPress installation itself.  But, however secure your WP installation is counts for nothing if you’re leaving other doors open.

Common sense precautions

It’s worth being aware that a determined hacker is going to be able to get in to pretty much any site they want. But you can protect your WP installation from the mass bot hackers with a few common sense precautions.

Here are some steps I’ve taken:

  • I’ve changed my login name from ‘admin’ (the default name WordPress assigns) to something else (long and complex)
  • I’ve made sure my password is as strong as I can make it
  • I’ve put an extra layer of security around the wp-admin directory
  • I’ve created a blank index.html file in the wp-content/plugins directory to hide the plugins I’m using, and done the same for themes

If you prefer, there are WordPress Security plugins that will do all that for you and keep monitoring your installation for vulnerabilities.

The more users you allow to update your blog the more risk there is. I get guest bloggers to send me their posts and I put them up myself rather than give out user access rights. I also don’t allow registration.

Update, update, Update

Of course, it should go without saying that you must keep your WordPress version as well as all your plugins and themes absolutely up to date.

Out of date software is manna from heaven for hackers!

Other areas to secure

But there are some areas that people often overlook, and which allow hackers to get access to your WordPress installation via your FTP details.

Use SFTP, not FTP

If you’re not using SFTP (or Secure Shell Access if your hosting provider doesn’t support SFTP) then your FTP login details are being transmitted across the Internet in clear every time you log on and upload/download stuff.

I back up my blog system files each week by copying everything back to my local computer.  This takes around an hour currently, so anyone who wanted to pick up my FTP login details would have plenty of time to do so.

Keep your computer free of malware

Also, of course, you could have spyware on your machine which would pick up your FTP logins from there.  (Along with all your other logins!).

So it pays to consider your entire computer environment and the tools you’re using, and make sure that everything is secure – not just your WP installation.


In addition to all the WP specific precautions you can read about in dozens of places, make sure your computer is absolutely clean (use a good anti-spyware/malware application and scan it regularly – here’s a good one).

Use SFTP or Secure Shell Access to encrypt your connection when you transfer files between your server and your computer.

Feel free to point out other security steps that I’ve missed – there will definitely be some!

About the author: Martin has been working online since 2006 and focuses on two areas: 1) affiliate marketing and 2) designing and building websites based on WordPress. He has his own WordPress agency, and serves clients in Hong Kong, Australia and the UK.

Next post:

Previous post:

What do you think?

Comments on this entry are closed.

  • Andrew Dec 31, 2008 @ 12:32

    Totally agree… you can never be to safe.

    It’s been five or six years back now… but my “hacker’ nephew told me to go to a web site he had set up – wanted to show me something.

    Within 2 minutes he had logged into my computer. Never took control of it, be said he could have. He did tell me the software I had installed, some files, etc.

    He never would tell me how he did it.

    Later he went into the Air Force… did computer stuff for them.

    Crazy stuff going on out here.


    Andrew´s last blog post..Lose Weight ~ Weight Loss Club & Communities

    • WealthyDragon Dec 31, 2008 @ 12:44

      Thanks Andrew,

      I have a friend who used to be a hacker – he’s also very non-committal. Strange, that..!

      But what your nephew did is scary. Hopefully he also told you how to protect yourself! 🙂



  • Sarah Cook Jan 2, 2009 @ 9:05

    Andrew – Was it the visit the website that made you vulnerable? Are you saying that we could unknowingly visit a website that was run by a hacker and loose all that way?

    Wealthy Dragon – I like the idea of backing up blogs regularly. Thanks.

    Sarah Cook´s last blog post..She Works Hard for Her Money

    • WealthyDragon Jan 2, 2009 @ 12:44

      Hi Sarah,

      Yes – definitely worth backing up both your database and blog system files regularly. I do it once a week, and in fact I have a mirror image on my PC of what’s on my server. That way if anything happens to any of my sites I can be back up and running again without any hassles.



  • Johan Aug 3, 2009 @ 18:01

    Need some advice. On the new wordpress if you want to upload plugins with a zip file you have to make the wp-content folder writable. So i do that now but leave it like that. Is that a good/bad practice or the other way to upload if via ftp would be better.

    You also mention making a blank index file. Is that the one that is in the plugin folder.

    Finally is there maybe a blog or site that mentions all plugins that is a security risk as that would be nice to have such a resource.

    Came to your site via a warriorforum post
    .-= Johan´s last blog .. =-.

    • WealthyDragon Aug 3, 2009 @ 18:29

      Johan, hi,

      A site that highlighted all plugins that had security holes would be a great resource – unfortunately I’ve never found one like that, but it may be worth Googling for it.

      Yes – the blank index.html file is in the plugin folder and I don’t upload the zip files when uploading plugins. I unzip them and then upload the extracted folder via SFTP.



  • Johan Aug 3, 2009 @ 18:03

    Hi Martin, stupid of me as i see it was a post of yours on WF
    .-= Johan´s last blog .. =-.

  • CorrieHowe Nov 8, 2009 @ 1:13

    More things to think about and learn when we talk. Thanks!
    .-= CorrieHowe´s last blog ..100th Post Celebration =-.

    • Martin Nov 8, 2009 @ 7:43

      You’re welcome!