WordPress Security can be hardened, simply by increasing the degree of difficulty to hack.
General WordPress Security Tips
- 8 Meaningful Reasons to Always Keep WordPress Updated.
- Also make sure to keep themes up-to-date.
- Delete unused WordPress themes.
- If not required disable new user registration in WordPress.
- Make your nickname different than WordPress login username.
- Change WordPress “Display name publicly as” to something different than login username.
- Use long complex password for WordPress login.
- Create new WordPress administrator with login username not as “admin”.
- Activate web application firewall to filter traffic.
- Remember to change WordPress username, password, user_nicename and database table prefix, when you move from one hosting company to another.
WordPress Plugin Security
- If possible make minimum use of WordPress plugins.
- Delete unused WordPress plugins.
- Always keep plugins updated.
- Stability is a step towards security which can be achieved through WordPress Blog Specific Plugin. I can install and activate them for you.
WordPress Security through Functions.php
- Remove default WordPress Header Junk links.
- Hide WordPress Version Number from Head and RSS.
- Remove WordPress Login Username from admin area.
Securing WordPress Login.php
- To avoid brute force attack, create new WordPress login page.
- Disable WordPress login error messages.
- Remove lost password link from WordPress login.
- Remove WordPress version number strings from script and style urls.
- Redirect failed WordPress login to homepage.
- Redirect lost password link to homepage.
WordPress Security through Database
- Change WordPress database table prefix to avoid SQL injection attack.
- Change WordPress user ID to hide login username from your-site.com/?author=1 which redirects to author url [your-site.com/author/username/].
- Change WordPress Author Base and URL Slug (user_nicename).
- Keep a log of WordPress Database and PHP errors.
WordPress Security on Server
- Generate new WordPress secret keys and replace them in wp-config.php.
- Disable file editing in WordPress.
- Secure WordPress Debug logs.
WordPress Security through Web Server
- Always use SFTP or SSH to connect to server.
- Disable directory listing for WordPress files and folders.
- Disable PHP execution in WordPress uploads directory.
- Force WordPress blog to HTTPS.
- Enable HTTP Strict Transport Security (HSTS)
- Remove unnecessary server response headers like Server, X-Powered-By, X-backend, etc…
Aim of the above guide is to minimize loopholes, and secure WordPress website from hackers.
Moral of the Story
Prevention is better than cure.
WordPress Security Consultant
WordPress Security tightening work under taken. Contact me.
