Categories: WordPress

WordPress security tips

How to lock down WordPress

I give you a few tips how to secure WordPress. The subjects we are going to discuss are:
1. Security best practices.
2. Limit access to the server.
3. Hardening the WordPress core.
4. Essential security add-ons.

Security best practices

WordPress is secure due to the open-source codebase and the community; constant updates; WP evolves quickly. Keep your site up-to-date.

Since WP 3.7.1. WP ships with automatic (minor) updates. Reduces also time.
Full version updates from e.g. 3.8 to 3.9 is manual.

When WP crashes during update theme or plug-in could be wrong code.
Work-around: choose standard theme and disable all plug-ins. Then update WP and after update activate each plug-in one at a time and later on the theme.

Back-up WP regular.

Secure username and passwords. Avoid default names as admin, administrator, test, user, site name. Longer passwords are better then short cryptic password.

Create second account with Editor role for creating and editing content. Use the admin  account only for updates et cetera.

Contributor: write own content.
Author: write own content and edit own content.
Editor: write and edit other peoples content.
Administrator: full control.

Limit access to the server
Use Git when available which is more secure then FTP.
Use SFTP when available (encrypted connection).
Never use FTP on a public network.

Permissions on WordPress.
files: 644
first digit: owner 6 read/write
second digit: group 4 read
third digit: public 4 read

folders: 755
first digit: owner 7 read/write/execute
second digit: group 5 read/execute
third digit: public 5 read/execute

Check those permissions if something is wrong with WP.

Hardening the WordPress core

Disable access to wp-includes and wp-config.php by placing redirect code in the .htaccess file. This prevents malicious code to sneak into the files.

Disable wp-includes:
Add the redirect code in .htaccess after ‘order allow’ but before #begin WordPress.

# Block the include-only files.
<IfModule mod_rewrite.c>
ReWriteEngine On
ReWriteBase /
ReWriteRule ^wp-admin/includes/f – [F,L] ReWriteRule !^wp-includes/ – [S=3] ReWriteRule ^wp-includes/[^/]+.php$ – [F,L] ReWriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L] ReWriteRule ^wp-includes/theme-compat/ – [F,L] </IfModule>

Reload your site and back-end to see everything is working.

Modify Wp-config.php:
Wp-config.php is important due to different info like database info. So block access to this file from the web due to malicious code.

Add the following code to .htaccess:
<files wp-config.php>
order allow,deny
deny from all
</files>

Reload your site and back-end to see everything is working.

Recreate Salts:
Also check on wp-config if the Unique Keys and Salts are filled in, otherwise recreate them.

Disable Editor:
Add to wp-config.php (above the line /* That’s all):
define(‘DISALLOW_FILE_EDIT’, true);
Dashboard, Appearance, Editor and Dashboard, Plugins, Editor will be disappeared due to this.

Essential security add-ons

Limit logins:
Use Limit Login Attempts plugin.

Two factor authentication:
Two different things to login; password and e.g. code.
Google Authenticator is a way to accomplish this. Use the Google Authenticator APP on your smartphone which creates a code.
https://en.support.wordpress.com/security/two-step-authentication/

Diverting:
A step further in security is placing someone between the user and logging into the website. A external service (a so called CDN) like CloudFlare. Traffic will be filtered and also the website will be more efficient to load.

Disaster:
Ask VaultPress (from the creator of WordPress) when your WordPress site is hacked, paid service.
Sucuri.net, paid service, they clean your site.

Photo credit: CarbonNYC [in SF!] / Foter / CC BY

Share
Published by
Damiaan van Vliet

Recent Posts

Wat is er nieuw in WordPress 6.4?

WordPress 6.4, dat op 7 november wordt uitgebracht, belooft functies die het bouwen van uw…

1 jaar ago

Wix website omzetten naar WordPress

Ook het omzetten van een Wix website naar WordPress is door mij mogelijk. Ik heb…

1 jaar ago

Goede software voor het maken van een website

WordPress is populaire software voor het maken van websites en dat is niet voor niets.…

2 jaar ago

Website Handig! App

Handig! is dé oplossing voor bedrijven die op zoek zijn naar een simpele manier om…

2 jaar ago

Wat de beste manier is om bij Google bovenaan te komen met een website

Als je een website hebt, wil je waarschijnlijk dat deze goed gevonden wordt in zoekmachines…

2 jaar ago

Website Global Goals Oss

De oude website van Global Goals Oss was aan vernieuwing toe, deze bevatte ook technische…

2 jaar ago