Check and scan for problems
- Run a security audit via the “WP Security Audit Log” plugin
- Run a security audit via online tools like : http://hackertarget.com/wordpress-security-scan/
- Use Google alert for not wanted spam content : http://www.google.com/alerts
Search for stolen content in googeling pieces of your article
Remove the login link from the theme
Go to Dashboard > Appearance > Widgets > remove the Meta widget from the sidebar.
Choose a strong ID and password for all accounts
Check your password strength here : https://www.grc.com/haystack.htm
Limit login attempts
Go to Dashboard > Settings > Limit Login Attempts > change the allowed retries and the lockout time as well as other parameters you need.
Activate the auto updates
The auto updates will guarantee that your whole WordPress installation is always up do date, without any manual intervention.
1) For the WP core
Simply add the single line of code in your site’s wp-config.php file : define( 'WP_AUTO_UPDATE_CORE', true );
There is one little problem with this code. It also enables nightly builds and development updates.
To disable nightly builds and development updates, you need to add this code in your theme’s functions.php file :
add_filter( 'allow_dev_auto_core_updates', '__return_false' );
2) For plugins and themes
Put the following lines in the themes functions.php file
/* auto updates for plugins */
add_filter( 'auto_update_plugin', '__return_true' );
/* auto updates for themes */
add_filter( 'auto_update_theme', '__return_true' );
Disable file editing
The following code will prevent editing any files from within your WordPress admin area.
Add the line define('DISALLOW_FILE_EDIT',true);
to your wp-config.php file.
Delete all unused stuff like themes, plugins, etc
Every unused software is a potential security risk, so delete it.
Database
- Change the database prefix from default to a personalized one like wp_abxyz.
The default table prefix is wp_.
- As MySQL administrator disable “accepting the remote TCP connections”
- Do a backup on a regular basis ! Use a plugin, do it via MySQL or ask your host for the necessary script.
Disable PHP error reporting
You can do this in 3 different ways.
1) Add the following code to your wp-config.php file:
ini_set('display_errors','0');
ini_set('error_reporting','0');
or
display_errors(0);
error_reporting(0);
2) Add the following code in the php.ini file :
display_errors = off
error_reporting = off
3) Add the following code in the .htaccess file :
php_flag display_errors off
php_value error_reporting 0
Admin area
1) Don’t use the default ID “admin” and password “admin” to access the admin area
2) Never use the administrator account for posts !
3) Limit the number of IPs
Allow one IP : Get our home IP address and add the following lines to the .htaccess file. Replace xx.xxx.xxx.xxx with your IP address.
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another “Allow from xx.xxx.xxx.xxx” statement on a new line.
<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>
4) Multiple IPs
If you allow multiple IPs : limit the number of incorrect login attempts to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password.
Plugins
- Add a firewall plugin like “Wordfence”
- Add an anti Spam plugin like “Akismet”
- The anti-virus protection is usually done on shared hosts, you can also install a plugin like : the “WP Antivirus Site Protection”
Hosting
- Security modules
Hosting is more secure when WordPress is using your account’s username instead of the server’s default shared username. The most common way for hosting companies to do this is using suPHP. Just ask your host if it runs suPHP or something similar. An additional security patch is the Suhosin PHP security system, also ask your host if it’s available.
- PHP, MySQL
Make sure that your host uses the latest PHP and MySQL versions.
- WAF, IDS
Make sure that there are a Web application firewall (WAF )and an intrusion detection system (IDS) on your host !
- Account
Make sure you have a good account isolation.
- Use SFTP
- Use SSL
Modify the .htaccess
Add the following to the .htaccess file after the “# END WordPress” entry
# protect the .htaccess file
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>
# protect the wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
# prevent directory browsing
Options All -Indexes
# prevent hotlinking – the rewrite engine is already on by the WP default
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourDomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
# protect the wp-includes directory – the rewrite engine is already on by the WP default
<IfModule mod_rewrite.c>
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
– Add the following to the .htaccess file to protect the wp-content directory.
# this code will allow access to images, CSS, java-script and XML files, but deny it for any other type
order deny,allow
deny from all
<files ~ “.(xml|css|jpe?g|png|gif|js)$”>
allow from all
</files>
Be aware that this code has been known to break some WordPress themes. If the code causes any problems with your Website, it is best to remove it in the .htaccess file.
Disable XML-RPC
Since WordPRess 3.5, XML-RPC has been enabled by default. This feature allows you to remotely connect via blogging clients. It is also used for trackbacks and pingbacks. Unfortunately, hackers have been known to use the XML-RPC feature for DDoS attacks.
1) You can turn off only the pingback functionality of XML-RPC
Add the following code to your child theme’s functions.php file. :
add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );
function remove_xmlrpc_pingback_ping( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
};
2) You can turn off completely XML-RTC
Add the following line in the wp-config.php or functions.php file :
add_filter('xmlrpc_enabled', '__return_false');
3) WP settings
Go to Dashboard > Settings > Discussion > Default Article Settings : uncheck “Allow link notification from other blogs…”
Malware
If your computer is infected with malware, a potential attacker can gain access to your login data and make a valid login to your site bypassing all the measures you’ve taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress Website on a high level.
Thanks for this useful article, I especially liked the the auto update trick. Keep going your blog!
Glad you found the article useful and yes we will continue blogging