Thareja | Creative, Marketing, Technology

Helping You Succeed With Marketing & Technology!

How to secure WordPress

By Leave a Comment

WordPress is open source software you can use to create a beautiful website, blog, or app. Trusted by the best, 34% of the web uses WordPress, from hobby blogs to the biggest news sites online. Unfortunately with great power comes great responsibility. WordPress can be hacked if not secured. There are many things you can do to secure your installation. Here is an outline of a few of those.

If you use Plesk to do server management you are in luck, there is a built in way.

Securing WordPress via Plesk

To check and secure WordPress installations:

  1. Go to Websites & Domains > WordPress.
  2. Do one of the following:
    • To check the security of all WordPress installations, click Check Security.
    • To secure a single WordPress installation, click the icon in the S column next to the name of the desired WordPress installation.
    • To secure two or more WordPress installations, select the checkboxes for the corresponding WordPress installations, then click Check Security.
  3. Select the checkboxes corresponding to the security improvements you want to apply, then click Secure.

Caution: Keep in mind that not all security improvements can be rolled back. It is recommended to back up the corresponding subscription before securing WordPress installations. 

The complete list of WordPress security improvements
  • The wp-content folder. The wp-content directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-content directory. The security check verifies that the execution of PHP files in the wp-content directory is forbidden. Note that custom directives in the .htaccess or web.config files might override this security measure. Also note that some of your plugins might stop working after securing the wp-content folder.
  • The wp-includes folder. The wp-includes directory may contain insecure PHP files that can be used to damage your site. After WordPress installation, PHP files can be executed from the wp-includes directory. The security check verifies that the execution of PHP files in the wp-includes directory is forbidden. Note that custom directives in the .htaccess or web.config files might override this security measure. Also note that some of your plugins might stop working after securing the wp-includes folder.
  • The configuration file. The wp-config.php file contains credentials for database access and other sensitive information. After WordPress installation, the wp-config.php file can be executed. If, for some reason, processing of PHP files by the web server is turned off, hackers can access the content of the wp-config.php file. The security check verifies that unauthorized access to the wp-config.php file is blocked. Note that custom directives in the .htaccess or web.config files might override this security measure.
  • Directory browsing permissions. If directory browsing is turned on, hackers can obtain information about your site (what plugins you use and so on). By default, directory browsing is turned off in Plesk. The security check verifies that directory browsing on the WordPress installation is turned off. 
  • Database prefix. WordPress database tables have the same names in all WordPress installations. When the standard wp_ database table name prefix is used, the whole WordPress database structure is not a secret and anyone can obtain any data from it. The security check changes the database table name prefix to something other than wp_. The maintenance mode is turned on, all plugins are deactivated, the prefix is changed in the configuration file, the prefix is changed in the database, the plugins are re-activated, the permalink structure is refreshed, and then the maintenance mode is turned off.
  • Security keys. WordPress uses security keys (AUTH_KEYSECURE_AUTH_KEYLOGGED_IN_KEY, and NONCE_KEY) to encrypt information stored in the user’s cookies. A good security key should be long (60 characters or longer), random and complicated. This security check verifies that the security keys are set up and that they at least contain both alphabetic and numeric characters. 
  • Permissions for files and directories. If permissions for files and directories do not comply with the security policy, these files can be used to hack your site. After WordPress installation, files and directories can have various permissions. The security check verifies that the permissions for the wp-config.php file are set to 600, for other files to 644, and for directories to 755
  • Administrator’s username. When a WordPress copy is installed, by default there is a user with administrative privileges and the username admin. As a user’s username cannot be changed in WordPress, one only needs to guess the password to access the system as the administrator. The security check verifies that there is no user with the administrative privileges and the username admin
  • Version information. There are known security vulnerabilities for each WordPress version. For this reason, displaying the version of your WordPress installation makes it an easier target for hackers. The version of an unprotected WordPress installation can be seen in the pages’ meta data and readme.html files. The security check verifies that all readme.html files are empty and that every theme has a functions.php file which contains the line: remove_action(\'wp_head\', \'wp_generator\');.

Plugins that help with security

You can find a complete list on the following link. I have personally used Limit Login Attempts, Sucuri & Wordfence which also work well. Check this link: https://wordpress.org/plugins/tags/security/

Checklist of items to do:

  1. Always take frequent back ups, especially before and after upgrades or updates
  2. Update WordPress and plugins frequently, backup before you update
  3. Update PHP, and server side installations
  4. Use a backup service like VaultPress
  5. Disable File Editing in WordPress Dashboard – A lot of WordPress sites have multiple users and administrators, which can make WordPress security more complicated. A very bad practice is to give authors or contributors administrator access, but unfortunately, it happens all the time. It is important to give users the correct roles and permissions so that they don’t break anything. Because of this, it can be beneficial to simply disable the “Appearance Editor” in WordPress. Place the following code in your wp-config.php file to remove the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users. define(‘DISALLOW_FILE_EDIT’, true);
  6. Always only allow and use secure connections SFTP, SSH, HTTPS.
  7. Harden DB Security, add a unique Table Prefix, dont use “wp_”

Readings to do:

Hardening WordPress
WordPress Security – 19 Steps to Lock Down Your Site

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Less worry. More clarity. Add Thareja to your team. Sign Up for Free Now

back to top