WordPress Security – 26 Essential Steps to Protect Your WordPress Site
If you have one or more WordPress sites, as many of us do, I hope you have never been the victim of a hacker.
I have, and at best it’s inconvenient and embarrassing. But it can be quite damaging to your business.
The fact is, WordPress is an incredibly flexible blog/CMS platform, but its architecture does not make it particularly secure — at least out of the box.
Fortunately, there is a lot you can do to make your WordPress blog or WordPress-powered site more secure.
If you would like an expert to do this for you, scroll down because I have just started to offer this as a service for $199.
If you are interested in doing it yourself, here are all the basics you need to cover.
WordPress Security Basics Checklist
- Rename user Admin to something else.
- Change the ID field on the first user from 1 to something else.
- Enforce strong password requirements for all system users
- Don’t let anybody but admins see available WP updates.
- Remove the ability for non-admins to modify theme files.
- Tweak the database so tables aren’t prefixed with wp_.
- Don’t use the MySQL root user to access the database.
- Limit the MySQL account used to the site database only.
- Restrict the MySQL account so it can’t perform destructive actions (i.e. DROP, etc.)
- Give the MySQL account a very long, randomised password.
- Don’t allow the server’s root user access via SSH. Use an account with SUDO privileges instead.
- Ensure all the secret key fields in wp-config.php are completed with 16-bit SHA keys.
- Disallow indexes on all site folders.
- Hide the admin area.
- Rename the wp-content directory to something else.
- Block bad hosts and agents with blacklists.
- Make any .htaccess files and wp-config.php non-writeable.
- Make the admin area inaccessible outside of work hours (handle this one with care)
- Schedule regular database backups.
- Restrict the length of allowed URLs to 255 characters or less.
- Require SSL connections on the admin area (if possible; this one has an on-cost attached)
- If possible, install and run server-side antivirus software such as ClamAV.
- Consider restricting the server’s FTP service to only accept connections from certain, whitelisted IP addresses (only applicable if you have at least one static IP).
- When deploy complete, consider stopping the server’s FTP service completely. You can always temporarily switch it on again if required.
- If your web server is allowing proxying (for example, if you’re load-balancing), ensure it’s not configured as an open HTTP proxy.
- Remove any open SMTP proxies on your server.
Want Professional Help to Secure Your WordPress Site?
For a one-time fee of just $199 (US), my pro developer will help secure your WordPress site, using all the techniques above (where available), and usually adding a few more.
We’ll just need (where applicable):
- FTP access to the server
- Admin user credentials for the WordPress implementation
- Linux user with SUDO credentials (or CPanel access)
We’ll also take full backups, and provide you with a report of exactly what we did. We’ll aim to implement your security update as quickly as we can (hopefully within 48 hours).
Simply pay the fee, and we’ll get straight back to you for access details. Then you can put many of your security concerns behind you.
5 Comments Leave a comment
Leave a comment