WordPress Security Checklist

A Canadian University Gave $11 Million to a Scammer
August 31, 2017
74
at
Categories
Tags

    Most of the time a website running WordPress is hacked by a silly misconfiguration that could be avoided during its development. That’s the idea of this article: a checklist of actions that you should take to increase the security of any WordPress website.

    During installation steps:

    1. Change the default table prefix
    2. Do not create an account with username admin. If there is any, create a new Administrator account and delete the old one.
    3. Use a strong password containing uppercase, lowercase, numbers, and special characters on all accounts.

    After installation steps:

    1. Change Security Key
    2. Remove or block via .htaccess the files license.txt, wp-config-sample.php, and readme.html
    3. Disable file edit via wp-config.php by adding the following code
      define('DISALLOW_FILE_EDIT',true);
    4. Prevent directory listing via .htaccess by adding the following code:
      Options All -Indexes

    Admin Area Security:

    1. Lockdown the login page for repetitive failed login using (All In One WP Security Plugin)
    2. Use email address to login instead of username using (All In One WP Security Plugin)
    3. Rename the URL of your login page using (All In One WP Security Plugin)
    4. Remove login links from the theme (if not required by the project).
    5. Make the login error messages more generical (user/pass) by inserting the following code in your functions.php file
      function guwp_error_msgs() {
// insert how many msgs you want as an array item. it will be shown randomly
$custom_error_msgs = array( 'YOU SHALL NOT PASS!', 'HEY! GET OUT OF HERE!', );
// get random array item to show
return $custom_error_msgs[array_rand($custom_error_msgs)];
} add_filter( 'login_errors', 'guwp_error_msgs' );
    6. Disable the WP REST API, if you aren’t using it. (All In One WP Security Plugin)
    7. Password protect the folder wp-admin.
    8. Keep WordPress up-to-date.
    9. Create an Editor account and use it to publish content.
    10. Install a plugin to check file changes. (All In One WP Security Plugin)
    11. Scan the website for viruses, malware, and security breaches.

    Theme Security:

    1. Keep the theme up-to-date.
    2. Delete and remove unused themes.
    3. Remove the WordPress version from the theme. (All In One WP Security Plugin)
    4. Download and use themes only from reputable sources.

    Plugin Security:

    1. Keep all plugins up-to-date.
    2. Don’t edit any plugins core file unless you really need to edit them
    3. Delete and remove unused plugins.
    4. Download and use plugins only from reputable sources.
    5. Think twice before installing a ton of plugins (don’t use a plugin unless you really need it and you can’t get what you want without it).
    Ammar Abu Qoura
    Ammar Abu Qoura

    Related posts

    Closeup of Password Box in Internet Browser

    October 6, 2017

    Leaving employees to manage their own password security is a mistake

    Read more
    October 5, 2017

    How a missing smiley foiled a $70,000 email fraud

    Read more
    September 27, 2017

    Internet Explorer Bug Leaks What Users Type in the URL Address Bar

    Read more

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    four × three =

    Get Your Hosting Today