Magento WordPress Integration SecurityWordPress Integration

« Back to Magento WordPress Integration

Any installed web application can present serious security risks and this includes WordPress and Magento. Fortunately by following some simple steps, it's quite easy to reduce these security risks and securely integrate WordPress into Magento.


The first and easiest step is to always keep the WordPress core, plugins and themes upgraded to the latest version. If you have any security incidents and you're running out of date WordPress software, you only have yourself to blame.

WordPress updates are extremely easy to do without needing to worry about code (unlike Magento updates) so there is really no excuse.

You should also look at keeping all FishPig modules as up to date as possible and when ever you upgrade one FishPig module, you should upgrade them all at the same time. If you need any help with this, get in touch.

Limit Third Party Code

A high number of WordPress hacks are caused by unsecure third party plugin or theme code. You can mitigate this risk by only installing plugins that you really need. Too often I see sites with 30+ plugins installed, of which only 4-5 are actually used. Disable all plugins and then re-enable those that you need. If you don't use them, delete them. A plugin can't pose a security risk if it's been deleted.

The same goes for WordPress themes. When integrated into Magento, the FishPig theme should be used so you should delete all other themes.

Database Security

For security reasons, it is best to run WordPress in it's own database with it's own database user. This user should not have any access to the Magento database. If done this way, SQL injection attacks in WordPress will not lead to Magento data being affected.

It is also advisable to use a random and non-standard table prefix. This has a small security benefit but is still recommended.

Block Bots with our Security Suite

Automated bots are constantly trying to attack your Magento and WordPress installations. Integrating WordPress hides it from these bots but it's still a good idea to block them. Our Magento 2 Security Suite will protect both Magento and WordPress from spam bots and automated hacking attempts.

Server Security (.htaccess)

The following .htaccess file will provide an extra layer of protection for your WordPress installation. This file limits access to specific files and can be modified to your needs. This should be placed inside your WordPress installation directory (eg. wp/.htaccess).

The file starts by limiting access to certain file extensions (CSS, JS and image files). You can add in any file types that you want here.

The next section allows access to specific PHP files. You should remove any PHP files here that you don't need. For example, if you don't have any plugins installed that use Ajax, you can remove the admin-ajax.php reference.

The final 2 sections are for Admin access. By default, the file allows access to wp-admin to everyone, however you can remove this line and add per IP restrictions. This allows you to limit admin access to specific IPs. If you do this, you can remove the reference to wp-login.php so that only allowed IPs can access this file.

# Secure WordPress when integrated into Magento
<IfModule mod_rewrite.c>
RewriteEngine On

# Allow access to certain file extensions
RewriteCond %{REQUEST_URI} !\.(js|css|jpg|png|gif|svg|woff|woff2)$
# Allow access to specific PHP files
RewriteCond %{REQUEST_URI} !/index.php
RewriteCond %{REQUEST_URI} !/wp-(comments-post|login).php
RewriteCond %{REQUEST_URI} !/wp-admin/admin-ajax.php

# Allow global access to specific IPs
# This will allow Admin access
# Enter IPs below that should be allowed Admin access
# RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
# RewriteCond %{REMOTE_ADDR} !^82\.12\.10\.1$

# This line allows Admin access to all IPs
# Remove this to limit it to the IPs entered above
 RewriteCond %{REQUEST_URI} !/wp-admin/

# Rewrite to 404.php 	
# You can create a 404.php file in your WordPress folder
# If this file doesn't exist, the Magento 404 will display
RewriteRule .* 404.php [L]


This script uses a 404.php file that is present in the parent directory of WordPress (the Magento folder) and this is loaded when a user is blocked. This file can be as simple as the below code.

	header('HTTP/1.0 404 Not Found');
	echo '404';

By locking down access to WordPress by IP address, you effectivey make your WordPress installation un-hackable, however you should still follow all other steps and ensure everything is always updated and the WordPress database is separate.