Steps to Harden Your WordPress Website Security
WordPress is one of the most popular content management systems out there and with good reason. It’s simple to use, there are thousands of themes and plugins available for it, and you can create any type of website with it. It’s no wonder then that WordPress powers 35.6% of all websites on the internet.
Steps to Secure Your WordPress Website
To prevent your site from ending up as one of the sites on the Internet Live Stats, follow the tips below and secure your WordPress website.
{Read:- 5 Ways to Improve SEO on Your WordPress Site }
- Opt For A Hosting Company With Security Features
- Use Strong Passwords
- Rename the “Admin” Username
- Use a Contributor or Editor Account to Post On Your Site
- Use a Backup Plugin
- Harden The Admin Area
- Keep Files Up to Date
- Protect Your Computer
- Change Your Database Prefix
- Use HTTPS and SSL
11. Harden Your .htaccess and wp-config.php Files
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
<files wp-config.php> order allow,deny deny from all </files> <Files .htaccess> order allow,deny deny from all </Files> <Files wp-login.php> order deny,allow Deny from all # allow access from my IP address allow from xxx.xxx.xxx.xxx </Files> |
{Read:- How to Build a WordPress Site in 1 Day }
12. Prevent PHP file execution
|
1 2 3 4 5 |
<Files *.php> deny from all </Files> |
13. Check and Change the File Permissions
According to the WordPress codex, the permissions should be set as follows:
- All directories should be 755 or 750
- All files should be 644 or 640
- wp-config.php should be 600
14. Use Two-Factor Authentication
Consider using a plugin like Google Authenticator to set up two-factor authentication for your site. This means that in addition to entering your password, you will also have to enter a code generated by a mobile app to log in to your site. This can stop brute-force attacks so it’s a good idea to set it up now.
{Read:- 10 WordPress Mistakes to Avoid }
15. Disable XML-RPC
XML-RPC allows your site to establish a connection with WordPress mobile apps and plugins like Jetpack. Unfortunately, it’s also a favorite of WordPress hackers because they can abuse this protocol to execute several commands at once and gain access to your site. Use a plugin like Disable XML-RPC plugin to disable this feature.
16. Disable Theme and Plugin Editing Through Your WordPress Dashboard
Disable this feature by adding the following code to your wp-config.php file:
|
1 2 3 |
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true ); |
17. Change Your WordPress Security Keys
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); |
18. Disable Error Reporting
You can disable this by adding the code below to your wp-config.php file:
|
1 2 3 |
error_reporting(0); @ini_set(‘display_errors’, 0); |
{Read:- How to configure Horizontal Pod Autoscaler(HPA) in Kubernetes (EKS)? }
19. Remove the WordPress Version Number
You can remove the WordPress version number by editing your theme’s functions.php file and adding the following:
|
1 |
remove_action('wp_head', 'wp_generator'); |
20. Use Security Headers
|
1 2 3 4 5 6 7 8 |
header('Content-Security-Policy: default-src https:'); header('X-XSS-Protection: 1; mode=block'); header('X-Content-Type-Options: nosniff'); header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload'); @ini_set('session.cookie_httponly', true); @ini_set('session.cookie_secure', true); @ini_set('session.use_only_cookies', true); |
WordPress is a powerful and popular CMS that makes it easy for anyone to create a website. But because it’s so popular, it’s also a favorite target for hackers. Luckily, there are a number of steps you can take to protect your WordPress site and if you follow the tips in this article, you’ll be well on your way to having a secure WordPress website.
