These WordPress Security tips will help you to lock down your WordPress website and make it more secure for you and your site members. There will also be less of a chance to loss or have stolen private user information.
1. User Passwords
The zero position is the password that you use to access and customize your website. Surely you have heard this many times, but it’s important that you use long passwords made up of uppercase and lowercase letters, numbers and special characters. Also, you should avoid using the same passwords for all websites or web services you use. If you find it difficult to remember all the passwords, install a program that will do it for you (e.g. https://lastpass.com/), and you only have to remember one password. With this kind of software you can also generate and use complex passwords.
Most of you are using shared hosting, primarily because it is a lot cheaper. What does this mean? On a single server there can be multiple sites, sometimes up to 400 or more. What are permissions and what do some numbers mean? Permission are defined for each document or folder in the linux file system as well as who can work with them or what can be done with them. For each document or folder are introduced the terms of the owner, who belongs to the group of the owner (group) and the rest of the users who do not meet the first two conditions (are neither owners nor belong to the same group as the owner). Permissions are divided into: reading, writing and executing files or folder contents.
If these permissions, represented by binary systems are translated into the decimal system, we have the following:
Read = 4
Read + Write = 6
Read + Write + Execute = 7
Read + Execute = 5
This is all the information that we need for now, more details can be found here:
How should permissions be set up on files and folders? All files need to be 644. What does that mean? You, or your account owner, will be able to read and write data while users who belong to the same group as you will also be able, like everyone else, to read your files. Exceptions are some special scripts (.php, .pl, .py) if you use them, which can be scheduled to run backups etc.
When it comes to folder permissions; they should be 755, the owner can do anything while the group and others can read-only and execute the content. It can happen that some web application requires 777 permissions on a folder, but such items are specified during installation and can be a potential security threat.
Why are permissions so important? Like we said, you share the server with several users. Each of them can be a threat to you. An analogy can be made between a building (server) with many apartments (web sites). If someone is able to use an apartment that was left open in the building, the only thing keeping him out of your apartment (web site) is a locked door i.e. well set permissions.
The wp-config.php file is important because it contains very sensitive data(database login details, database prefix, etc) and you should lower file permissions on this file to 400. The main reason for this is a widely used symlink hack on shared servers.
You can set the file permission trough FTP client, or with Better WordPress Security plugin:
3. Change default database prefix wp
This can easily be done during the installation of your WordPress, otherwise you need to find the config file of your WordPress (wp-config.php), change the default table prefix value and then everywhere in the database for each table individually. There are plugins that will do this for you, again Better WordPress Security is one of them. The default value should be changed due to serious potential SQL Injection attacks on your WordPress via a vulnerable WordPress plugin, which will make this attack more hard to exploit. It should be something random like:
$tableprefix = ‘upcmtq’;
4. Change default login address (URL)
If anyone in any way comes in possession of your blog login details, and if they cannot find the url for logging they will not be able to use them. For these reasons it is important to hide it. This will also help you against brute force attacks. There are plugins that will help in the realization of hiding the login URL(like Better WordPress Security).
Your login URL should be like so: http://www.mysite.com/somenonstandardtext67
5. Change default admin username
All attacks (brute force, SQL injection, …) which require a username, will initially start with this account. That’s why it should be changed. This can’t be done from the WordPress dashboard and will require a plugin installation. The one that we recommend is Better WordPress security.
Please note that if your site is already added to ManageWP it might require a readd after admin name modification.
6. Update, Update and Update
New versions of WordPress, themes or plugins often bring security patches and fixes. So it is very important to run the latest versions of WordPress, themes and plugins.
This can easily be done through the ManageWP update WordPress, themes, plugins functionality.
7. Disable Editing of Theme/Plugin files
When the wp-admin dashboard is compromised then the attackers are looking for a way to upload php or inject js code to your files. Editing themes/plugins files is something that is almost never used by the users but it can be used for malicious purposes.
This can be done by adding the following line to your wp-config.php file: define(‘DISALLOW_FILE_EDIT’,true);
8. Limit wp-admin login to IP
If you are the only one that is managing your site, then you can simply lock access to it by an IP. Just make and place a .htaccess file in the wp-admin folder that contains:
allow from 192.168.1.2 #(replace 192.168.1.2 with your IP address)
allow from 18.104.22.168 #Manage IP
allow from 22.214.171.124 #Manage IP
allow from 126.96.36.199 #Manage IP
allow from 188.8.131.52 #Manage IP
deny from all
Note: Please change the value 192.168.1.2 to your IP
9. Prevent people trying to execute plugins or theme files in case one is vulnerable
Make a htaceess file in wp-content/plugins and wp-content/themes with the following content:
<Files *.php >
deny from all
allow from 192.168.1.2 #replace 192.168.1.2 with your server IP address
Note: Replace 192.168.1.2 with your server IP address
10. Disable Directory Browsing
Someone who knows the directory structure of your site, may use this knowledge to do some damage. Besides, you should not let them know what plugins you are using.
Just add the following to the .htaceess in the root of the WordPress installation:
Options All -Indexes
11. Install only trusted plugins
Try to minimize the number of plugins, install only what you really need. WordPress itself is quite safe. However, plugins can be written by people who sometimes do not pay enough attention to security or safety and this is where a problem may occur, because a vulnerable plugin is sufficient to undermine the security of the entire WordPress. Before you install a plugin, visit the following websites to find out if there are, to date, some security issues:
12. BackUp, BackUp and BackUp
Again BackUp. All these are only ways to make taking control over your site harder for the bad guys, but it is crucial to be prepared if all this is not enough. This is where the backups kick in. When do you make your backups? They should be made depending on how you modify the content of your website, blog. The more you change, the frequenter your backup should be done.