Some notes about measures that can be taken to secure your WordPress site.
Keep WordPress Updated
Consider enabling automatic core updates.
Auto-install Minor Core Updates
define( 'WP_AUTO_UPDATE_CORE', minor );
Auto-install All Core Updates
define( 'WP_AUTO_UPDATE_CORE', true );
Be Selective with Plugins and Theme
“51% of attacks are made through a WordPress plugin or theme”
Security holes in themes and plugins represent more than half of all successful WordPress hacks. You therefore need to pay attention to the plugins you activate on your website.
- Be ruthless when it comes to plugins. If you can do without the functionality a plugin offers, deactivate it and remove it.
- Be wary of plugins that have not been updated within the last two years as they may have security holes in them that have not been addressed. If possible, only use plugins that are updated regularly.
- All plugins are not created equal. Be conscious of the fact that a poorly coded plugin could make it easier for a hacker to gain access to your website.
- Create a new user with
adminand attribute posts to new user
<files wp-config.php> order allow,deny deny from all </files>
wp-config.php replace salts with those generated here:
Disable File Editing
Prevent updating files through admin.
define( 'DISALLOW_FILE_EDIT', true );
Disable Plugin and Theme Modifications through Admin
define( 'DISALLOW_FILE_MODS', true );
Eliminate Error Reporting
Errors contain path info that can be exploited. On production site, they should be eliminated.
define( 'WP_DEBUG', false ); error_reporting(0); @ini_set( 'display_errors', 0 );
- All directories should be
- All files should be
Files and DB should be backed up to secure location regularly.
There are some plugins that check for current compromises and help prevent future vulnerabilities.
In addition, remove the
readme.html file from the install, because it also exposes the version number.