Keeping WordPress Secure

SenseiSteve

HD Moderator
Staff member
Looking for recommendations on ways to secure WordPress sites since they seem to be prime targets of low life cybercriminals.
 
Here's my base security I do to all our WordPress sites:
  1. Administrator username must be something other than "admin"
  2. password protect /wp-admin (.htaccess or equivalent)
  3. 2-factor authentication admin logins
  4. disable account registration
  5. disable comments (nobody uses them except spammers)
  6. disable directory listing ability (/wp-content, /wp-content/plugins, wp-content/themes, wp-content/uploads)
  7. disable WordPress version from showing in source
  8. disable RSD (Really Simple Discovery meta tag)
  9. disable WLW (Windows Live Writer meta tag)
  10. disable Database Error Reporting (give generic "oops" to frontend users, no detailed errors)
  11. disable PHP Error Reporting (again, same "oops")
  12. remove readme.html file
  13. Install WordFence, block users after 3 failed logins
    1. If using Pro, block countries you're not interested in
    2. instant block anyone trying to log in with "admin", "administrator" or variation names of the site (bigredseo, makeabackup etc)
    3. Send email/text notice on any admin login
    4. send email/text notice if plugin is disabled
    5. send alert for any plugins available for upgrade
  14. Upgrade plugins as they come out (some can be auto-updated if you trust them)
  15. Disable normal FTP access (Allow FTP only from PrivateKey (no password login)
  16. move wp-config.php to "/home/yourname" and modify wp-config file to include /home/yourname/config.php
Once all of those are done, the majority of things are left then to plugin updates, monitoring and reviewing log files as needed. Any plugin that is unmaintained, delete it and find a replacement. If you can do the coding without the need for a plugin, even better!
 
Here's my base security I do to all our WordPress sites:
At least few of these could be the default WP settings.

Upgrade plugins as they come out (some can be auto-updated if you trust them)
Not fully agree on this. If it's a complex WP site, updating can ruin everything. I usually check them manually and update only if there are any vulnerability fixes. In some cases just change appropriate lines of code manually. It's an overkill, I know, but better safe than sorry.
 
At least few of these could be the default WP settings.
And yet, they're not. They must be manually done.
Not fully agree on this. If it's a complex WP site, updating can ruin everything. I usually check them manually and update only if there are any vulnerability fixes. In some cases just change appropriate lines of code manually. It's an overkill, I know, but better safe than sorry.
Oh, definitely agree. If you don't trust the source, you shouldn't have any auto-update enabled. And you can restrict your auto-updates to only update sub versions too. For example, we will auto-update Wordfence subversions as they generate new rules and updates nightly and keep the site extra secure. But something like Contact Form 7, usually their updates are cosmetic.

If you use any of the vulnerability databases you can query them with an API to determine impact and severability. But a key to security is updates, and too many people don't update for weeks/months (or ever).

If you're not updating and evaluating, you are potentially leaving a big hole available for exploitation.
 
Top