WordPress Security

Some notes about measures that can be taken to secure your WordPress site.

Keep WordPress Updated

Consider enabling automatic core updates.

Auto-install Minor Core Updates

In wp-config.php add:

define( 'WP_AUTO_UPDATE_CORE', minor );

Auto-install All Core Updates

In wp-config.php add:

define( 'WP_AUTO_UPDATE_CORE', true );

Be Selective with Plugins and Theme

“51% of attacks are made through a WordPress plugin or theme”

Security holes in themes and plugins represent more than half of all successful WordPress hacks. You therefore need to pay attention to the plugins you activate on your website.

  • Be ruthless when it comes to plugins. If you can do without the functionality a plugin offers, deactivate it and remove it.
  • Be wary of plugins that have not been updated within the last two years as they may have security holes in them that have not been addressed. If possible, only use plugins that are updated regularly.
  • All plugins are not created equal. Be conscious of the fact that a poorly coded plugin could make it easier for a hacker to gain access to your website.

  • https://wordpress.org/plugins/plugin-vulnerabilities/

Remove admin User

  • Create a new user with administrator privileges
  • Delete admin and attribute posts to new user

Hide wp-config.php

In .htaccess add:

<files wp-config.php>
order allow,deny
deny from all
</files>

Update Salts

In wp-config.php replace salts with those generated here:

https://api.wordpress.org/secret-key/1.1/salt/

Disable File Editing

Prevent updating files through admin.

In wp-config.php add:

define( 'DISALLOW_FILE_EDIT', true );

Disable Plugin and Theme Modifications through Admin

In wp-config.php add:

define( 'DISALLOW_FILE_MODS', true );

Eliminate Error Reporting

Errors contain path info that can be exploited. On production site, they should be eliminated.

In wp-config.php add:

define( 'WP_DEBUG', false );
error_reporting(0);
@ini_set( 'display_errors', 0 );

File Permissions

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

Regular Backups

Files and DB should be backed up to secure location regularly.

Two-factor Authentication

Security Plugins

There are some plugins that check for current compromises and help prevent future vulnerabilities.

In addition, remove the readme.html file from the install, because it also exposes the version number.

Further Reading