Some notes about measures that can be taken to secure your WordPress site.
Keep WordPress Updated
Consider enabling automatic core updates.
Auto-install Minor Core Updates
In wp-config.php
add:
define( 'WP_AUTO_UPDATE_CORE', minor );
Auto-install All Core Updates
In wp-config.php
add:
define( 'WP_AUTO_UPDATE_CORE', true );
Be Selective with Plugins and Theme
“51% of attacks are made through a WordPress plugin or theme”
Security holes in themes and plugins represent more than half of all successful WordPress hacks. You therefore need to pay attention to the plugins you activate on your website.
- Be ruthless when it comes to plugins. If you can do without the functionality a plugin offers, deactivate it and remove it.
- Be wary of plugins that have not been updated within the last two years as they may have security holes in them that have not been addressed. If possible, only use plugins that are updated regularly.
- All plugins are not created equal. Be conscious of the fact that a poorly coded plugin could make it easier for a hacker to gain access to your website.
-
Remove admin
User
- Create a new user with
administrator
privileges - Delete
admin
and attribute posts to new user
Hide wp-config.php
In .htaccess
add:
<files wp-config.php>
order allow,deny
deny from all
</files>
Update Salts
In wp-config.php
replace salts with those generated here:
https://api.wordpress.org/secret-key/1.1/salt/
Disable File Editing
Prevent updating files through admin.
In wp-config.php
add:
define( 'DISALLOW_FILE_EDIT', true );
Disable Plugin and Theme Modifications through Admin
In wp-config.php
add:
define( 'DISALLOW_FILE_MODS', true );
Eliminate Error Reporting
Errors contain path info that can be exploited. On production site, they should be eliminated.
In wp-config.php
add:
define( 'WP_DEBUG', false );
error_reporting(0);
@ini_set( 'display_errors', 0 );
File Permissions
- All directories should be
755
or750
- All files should be
644
or640
wp-config.php
should be600
Regular Backups
Files and DB should be backed up to secure location regularly.
Two-factor Authentication
Security Plugins
There are some plugins that check for current compromises and help prevent future vulnerabilities.
- https://wordpress.org/plugins/wordfence/
- https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
- https://wordpress.org/plugins/sucuri-scanner/
In addition, remove the readme.html
file from the install, because it also exposes the version number.