WordPress Security
After installing WordPress there are numerous actions you can take to ensure that your blog is safe and secure as possible. Here are some tips:
First and foremost always keep your WP installation, themes, and plugins up to date.
Remove the admin user from the database after creating a new admin with a different name.
Choose a strong password for all accounts (use http://passwordmeter.com to check password strength).
Change your WP nickname.
During installation, change the wp_ prefix to something else for added security.
During installation, create a separate user for the WP database. Disallow the DROP command for that DB user.
Move wp-config.php up one directory level so it is outside of your root web directory. After all config changes to wp-config.php, change the permissions to 400 so public access is denied.
Configure security keys in your wp-config.php file (generate them from https://api.wordpress.org/secret-key/1.1/salt/).
Make sure you schedule or manually take backups of your WP installation.
Remove all readme.txt files from themes and plugins (they expose version information).
Remove the license.txt and readme.html files from the install folder.
Create a robot.txt file to disallow crawlers from reading certain folders. Use the following for robot.txt:
User-agent: *
Disallow: /feed/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /xmlrpc.php
Disallow: /wp-
Install the following plugins:
wp-security-scan
wordpress-firewall
ms-user-management
wp-maintenance-mode
ultimate-security-scanner
Run each of the above plugins to scan the security of your blog and make any adjustments based on their recommendations.
That's it! While nothing is ever totally secure, this list is a good starting point. Enjoy.
Written by Damian Tommasino
Related protips
3 Responses
Thanks for sharing this.
Wordfence is also a good security plugin. It's freemium, but the free version is awesome.
Nice tip, if I may add seems like you covered a few security by obscurity techniques. A few more would be changing the directory folder to be something other than wordpress, cleaning up the wp_head so that any wordpress generated links are removed http://wpengineer.com/1438/wordpress-header/, and renaming the wp-content directory. All of this done so that from just viewing the source it doesn't look like a wordpress site. Finally using .htaccess to whitelist only certain IP addresses to being able to access wp-admin/wp-login anyone not on the list gets the home page or 404 not found. Btw ever use http://www.trypap.com/ to see how good your passwords are?