WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
Hi, how can I help?
BeTips to Keep Your WordPress more Secure

BeTips to Keep Your WordPress more Secure

1. BEFORE INSTALLING WORDPRESS

When setting up a new WordPress installation, you should always
choose the latest stable version. Before installing it, follow these
two simple web security steps in the wp-config.php file:

  • Change the database prefix
  • Use authentication keys

By default, all WordPress installations use the prefix wp_ for their database. This is consistent throughout WordPress, so it’s recommended to change the prefix for each site to prevent possible attacks related to the database.


To alter the WordPress table prefix, change the following line in the configuration file, wp-config.php, with the prefix that you would like to use:
$table_prefix = ‘wp_’;

For example:
$table_prefix = ‘newsite_wp_’;

This change will also allow you to have several WordPress installations on the same database, as long as you do not repeat the prefix.

If your site is already installed and you didn’t change the default prefix during the installation process, it’s not too late. Use a plugin such as Change Table Prefix to make modifications. You can also do this manually, but I don’t recommended it if you are not familiar with performing database changes.

WordPress has secret keys, called Keys and Salt, that are stored in the wp-config.php file. They protect open sessions by encrypting the session data in the browser’s cookie. Before beginning the installation, you should generate the secret keys. 

Like with the database prefix, you can change the secret keys on an existing site, at any time, a task that I recommend you perform routinely in order to invalidate active sessions and force all users to log in again.

Although you can generate your own keys manually, I recommend using the official WordPress service found at https://api.wordpress.org/secret-key/1.1/salt/ and replace the keys with the ones in your wp-config.php file.

Before moving on to the next tip, I have one more piece of advice about WordPress secret keys for live sites. In the unlikely scenario where you need to deny any type of access to the admin panel, even with login credentials, you can configure keys to invalidate every microsecond by replacing them in the wp-config.php with the following: 

define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem
define(‘AUTH_KEY’,          microtime());Lorem

Remember to routinely update these keys as a preventative measure or to end active sessions.


  1. AFTER INSTALLING WORDPRESS

    Once you’ve finished installing your new WordPress site, you should delete the admin profile used during installation and create a new user with admin permissions, as well as any other necessary user

accounts.

 

Avoid weak usernames like admin or administrator which are common in all WordPress installations and remember to use a strong password. 

Disable the pingbacks and trackbacks notifications on your admin panel (Settings > Comments), as they can be an entry for possible DDoS (Distributed Denial of Service) attacks on your site.

Protect files from attacks and intrusions by adding the following lines of code in the htaccess file. Ideally, this should be done at the beginning of the file located at the root directory of your site:


Deny Directory Listing
Options – Indexes
#Block sensitive files
<files.htaccess>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>

You should block access to any unnecessary files by creating a new .htaccess file in the /wp-admin directory and adding the following lines of code:

#Block installation files
<files install.php>
Order allow,deny
Deny from all
</files>
<files setup-config.php>
Order allow,deny
Deny from all
</files>


I recommend reviewing the robots.txt file, which is located in the root directory of your site. This file tells search bots what should and shouldn’t be analyzed on your site, so be sure to check that it doesn’t show any sensitive information about your WordPress installation, for example, your wp-admin folder.



3. CHANGE PERMISSIONS FOR FILES AND DIRECTORIES

Make sure files and directories in your WordPress installation have the appropriate permissions to prevent attackers from taking control of your site.


Go to WordPress Tools > WordPress Toolkit > Select the installation > Fix Permissions.

Permissions for all the directories should be set to 755.
Permissions for all the files should be set to 644.


To restrict the access even further, you should protect these two files in your WordPress configuration in the following way:

wp-config.php file: set permissions to 600
.htaccess file: set permissions to 604

These permissions are referred to as View, Write, and Execute as defined in Unix operating systems.



4. BLOCK PHP IN DIRECTORIES

Although WordPress installations block PHP file uploads through the admin panel by default, you should block the option to execute PHP code in that folder. You should also limit the unnecessary execution of PHP code in other folders used by WordPress that shouldn’t be accessed directly.

 

Create a new .htaccess file inside of your folders “/wp-content/uploads”, “/wp-content/plugins” and “/wp-content/themes”, and add the following lines of code to block PHP executions:

<Files *.php>
deny from all
</Files>

Note: take into account that after every modification in a .htaccess file, you should check it in your installation. Flush the cache to confirm that the added rules are working properly.



5. DISABLE FILE EDITING IN WORDPRESS

This step focuses on adding a layer of security to the admin panel to prevent unwanted intruders and limit mistakes made by authorized users.

To disable the file edit option in the WordPress admin panel, use the following line of code in the configuration file, wp-config.php:

define( ‘DISALLOW_FILE_MODS’, true );

This code is equivalent to removing the ‘edit_themes’, ‘edit_plugins’, and ‘edit_files’ permissions for any registered user on the site.

You can add an additional layer of control for live sites if you don’t want users to install themes and plugins on their own. To do this, add the following code to the configuration file – wp-config.php:

 

define( ‘DISALLOW_FILE_MODS’, true );

 

Remember to deactivate it by changing the directive to false if you need to perform tasks on the WordPress installation.

All modifications on the wp-config.php file above the following line of code:

 

/* That’s all, stop editing! Happy blogging. */

 

Leave a Reply