Navigate
X
    Ammar Abu Qoura
  • 7 years ago
    • Categories: Security

WordPress Security Checklist

Most of the time a website running WordPress is hacked by a silly misconfiguration that could be avoided during its development. That’s the idea of this article: a checklist of actions that you should take to increase the security of any WordPress website.

During installation steps:

  1. Change the default table prefix
  2. Do not create an account with username admin. If there is any, create a new Administrator account and delete the old one.
  3. Use a strong password containing uppercase, lowercase, numbers, and special characters on all accounts.

After installation steps:

  1. Change Security Key
  2. Remove or block via .htaccess the files license.txt, wp-config-sample.php, and readme.html
  3. Disable file edit via wp-config.php by adding the following code 
    define('DISALLOW_FILE_EDIT',true);
  4. Prevent directory listing via .htaccess by adding the following code:
    Options All -Indexes

Admin Area Security:

  1. Lockdown the login page for repetitive failed login using (All In One WP Security Plugin)
  2. Use email address to login instead of username using (All In One WP Security Plugin)
  3. Rename the URL of your login page using (All In One WP Security Plugin)
  4. Remove login links from the theme (if not required by the project).
  5. Make the login error messages more generical (user/pass) by inserting the following code in your functions.php file 
    function guwp_error_msgs() {
// insert how many msgs you want as an array item. it will be shown randomly
$custom_error_msgs = array( 'YOU SHALL NOT PASS!', 'HEY! GET OUT OF HERE!', );
// get random array item to show
return $custom_error_msgs[array_rand($custom_error_msgs)];
} add_filter( 'login_errors', 'guwp_error_msgs' );
  6. Disable the WP REST API, if you aren’t using it. (All In One WP Security Plugin)
  7. Password protect the folder wp-admin.
  8. Keep WordPress up-to-date.
  9. Create an Editor account and use it to publish content.
  10. Install a plugin to check file changes. (All In One WP Security Plugin)
  11. Scan the website for viruses, malware, and security breaches.

Theme Security:

  1. Keep the theme up-to-date.
  2. Delete and remove unused themes.
  3. Remove the WordPress version from the theme. (All In One WP Security Plugin)
  4. Download and use themes only from reputable sources.

Plugin Security:

  1. Keep all plugins up-to-date.
  2. Don’t edit any plugins core file unless you really need to edit them
  3. Delete and remove unused plugins.
  4. Download and use plugins only from reputable sources.
  5. Think twice before installing a ton of plugins (don’t use a plugin unless you really need it and you can’t get what you want without it).
Ammar Abu Qoura:
Related Post
  1. An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks

    Infecting automated teller machines (ATMs) with malware is nothing new. It’s concerning, yes. But new?…

  2. Leaving employees to manage their own password security is a mistake

    Despite the clear and present danger that weak passwords pose to organizations, many remain focused…

  3. CCleaner Malware Incident – What You Need to Know and How to Remove

    An unknown threat group compromised the CCleaner infrastructure. The attacker added malware to the CCleaner…

This website uses cookies.