WordPress Security Checklist

A Canadian University Gave $11 Million to a Scammer
August 31, 2017

Most of the time a website running WordPress is hacked by a silly misconfiguration that could be avoided during its development. That’s the idea of this article: a checklist of actions that you should take to increase the security of any WordPress website.

During installation steps:

  1. Change the default table prefix
  2. Do not create an account with username admin. If there is any, create a new Administrator account and delete the old one.
  3. Use a strong password containing uppercase, lowercase, numbers, and special characters on all accounts.

After installation steps:

  1. Change Security Key
  2. Remove or block via .htaccess the files license.txt, wp-config-sample.php, and readme.html
  3. Disable file edit via wp-config.php by adding the following code
    define('DISALLOW_FILE_EDIT',true);
  4. Prevent directory listing via .htaccess by adding the following code:
    Options All -Indexes

Admin Area Security:

  1. Lockdown the login page for repetitive failed login using (All In One WP Security Plugin)
  2. Use email address to login instead of username using (All In One WP Security Plugin)
  3. Rename the URL of your login page using (All In One WP Security Plugin)
  4. Remove login links from the theme (if not required by the project).
  5. Make the login error messages more generical (user/pass) by inserting the following code in your functions.php file
    function guwp_error_msgs() {
    // insert how many msgs you want as an array item. it will be shown randomly
    $custom_error_msgs = array( 'YOU SHALL NOT PASS!', 'HEY! GET OUT OF HERE!', );
    // get random array item to show
    return $custom_error_msgs[array_rand($custom_error_msgs)];
    } add_filter( 'login_errors', 'guwp_error_msgs' );
    
  6. Disable the WP REST API, if you aren’t using it. (All In One WP Security Plugin)
  7. Password protect the folder wp-admin.
  8. Keep WordPress up-to-date.
  9. Create an Editor account and use it to publish content.
  10. Install a plugin to check file changes. (All In One WP Security Plugin)
  11. Scan the website for viruses, malware, and security breaches.

Theme Security:

  1. Keep the theme up-to-date.
  2. Delete and remove unused themes.
  3. Remove the WordPress version from the theme. (All In One WP Security Plugin)
  4. Download and use themes only from reputable sources.

Plugin Security:

  1. Keep all plugins up-to-date.
  2. Don’t edit any plugins core file unless you really need to edit them
  3. Delete and remove unused plugins.
  4. Download and use plugins only from reputable sources.
  5. Think twice before installing a ton of plugins (don’t use a plugin unless you really need it and you can’t get what you want without it).

Leave a Reply

Your email address will not be published. Required fields are marked *

three × two =

Get Your Hosting Today