Web Hosting

WordPress Security: FTP – a Door That’s Often Left Open

I read an interesting article on WordPress security today on a new site that Jack Humphrey pointed out:


A lot of attention is quite rightly focused on securing your WordPress installation itself.  But, however secure your WP installation is counts for nothing if you’re leaving other doors open.

Common sense precautions

It’s worth being aware that a determined hacker is going to be able to get in to pretty much any site they want. But you can protect your WP installation from the mass bot hackers with a few common sense precautions.

Here are some steps I’ve taken:

  • I’ve changed my login name from ‘admin’ (the default name WordPress assigns) to something else (long and complex)
  • I’ve made sure my password is as strong as I can make it
  • I’ve put an extra layer of security around the wp-admin directory
  • I’ve created a blank index.html file in the wp-content/plugins directory to hide the plugins I’m using, and done the same for themes

If you prefer, there are WordPress Security plugins that will do all that for you and keep monitoring your installation for vulnerabilities.

The more users you allow to update your blog the more risk there is. I get guest bloggers to send me their posts and I put them up myself rather than give out user access rights. I also don’t allow registration.

Update, update, Update

Of course, it should go without saying that you must keep your WordPress version as well as all your plugins and themes absolutely up to date.

Out of date software is manna from heaven for hackers!

Other areas to secure

But there are some areas that people often overlook, and which allow hackers to get access to your WordPress installation via your FTP details.

Use SFTP, not FTP

If you’re not using SFTP (or Secure Shell Access if your hosting provider doesn’t support SFTP) then your FTP login details are being transmitted across the Internet in clear every time you log on and upload/download stuff.

I back up my blog system files each week by copying everything back to my local computer.  This takes around an hour currently, so anyone who wanted to pick up my FTP login details would have plenty of time to do so.

Keep your computer free of malware

Also, of course, you could have spyware on your machine which would pick up your FTP logins from there.  (Along with all your other logins!).

So it pays to consider your entire computer environment and the tools you’re using, and make sure that everything is secure – not just your WP installation.


In addition to all the WP specific precautions you can read about in dozens of places, make sure your computer is absolutely clean (use a good anti-spyware/malware application and scan it regularly – here’s a good one).

Use SFTP or Secure Shell Access to encrypt your connection when you transfer files between your server and your computer.

Feel free to point out other security steps that I’ve missed – there will definitely be some!

Web Hosting

Next post:

Previous post: