Skip to content

Security

Jump to bottom
Adam Norris edited this page May 14, 2018 · 1 revision

Note: These suggestions are for keeping Wordpress secure

Logins

  • Upload files via sFTP or SSH (if the hosting company allows it)
  • Do not use 'admin' as a username
  • Ensure your computer is free of viruses and malware
  • Don't access WP over insecure networks without HTTPS.
  • Use strong passwords for accounts (keep the Wordpress generated password if possible)
  • Reserve administrator accounts for trusted users

Keep Up To Date

  • Keep Wordpress Core updated
  • Keep themes and plugins updated
  • Remove unused themes and plugins (e.g. Twenty Sixteen)
  • Don't store old versions of themes/plugins on the server

Restrict Access

  • Ensure wp-config permissions are set to 750 or lower and no files/folders are set to 777.

  • Restrict access to wp-config.php using .htaccess

# Restrict access to wp-config
<files wp-config.php>
order allow,deny
deny from all
</files>
  • Disable plugin and theme editor from the admin area using wp-config.php
/* Disable the plugin and theme editor */
define( 'DISALLOW_FILE_EDIT', true );
  • Limit logons to prevent brute force attacks
  • Password protect the wp-admin folder through your host (e.g. cPanel)

Obfuscation

  • Prevent user enumeration using .htaccess (i.e yoursite.com/?author=1)
# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} ^author=([0-9]*)
	RewriteRule .* http://example.com/? [L,R=302]
</IfModule>
  • Remove the WP version meta tag using functions.php
function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');
  • Move wp-config file up one level (outside of the WP directory)
  • Change table_prefix (e.g. use something other than 'wp_')

Other Measures

  • Ensure any user data is sanitised and escaped see Codex
  • Regenerate keys periodically through wp-config (Get WP secret keys).
  • Schedule files and database backups (e.g. using Updraft)

Plugins

Many security plugins cover many of the above steps and may provide additional security measures e.g.

iThemes Security, Wordfence, Cerber

A more in depth checklist can be found at Wordpress Security Checklist.

Further details on Wordpress security can be found at the Hardening Wordpress page on the Codex.

Clone this wiki locally