Hardening Wordpress

Discussion in 'Webmaster News / Articles' started by Rob, Oct 1, 2015.

  1. Rob

    Rob Administrator Staff Member

    Sep 30, 2015
    Likes Received:
    One thing we can't stress enough is that wordpress sites need to have the correct permissions to help them stay safe. There are other things as well, such as password protected logins, etc.. We'll share some of the things we do that can help to harden your Wordpress installation.

    15+ things you should do to secure your Wordpress site

    We suggest that you do all or most of these changes.
    1. File Permissions
    - chmod all directories to 755
    - chmod all .php files to 644
    - chmod your wp-config.php file to 400
    - chmod your .htaccess file to 644

    2. Remove the readme.html file
    The readme.html file is an easy/quick way for hackers to see which version you are running. It's also a clue that you haven't hardened any other part of your Wordpress installation!

    3. Secure your wp-includes directory
    Secure your wp-includes directory by adding this to your .htaccess:
    # Protect/block the include-only files.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    4. Prevent directory browsing
    Prevent directory browsing by adding this to your .htaccess:
    # Prevent Directory browsing
    Options All -Indexes
    5. Protect your wp-config.php file
    Protect your wp-config.php file by adding this to your .htaccess:
    # Protect wp-config.php
    order allow,deny
    deny from all
    6. Protect your .htaccess file
    Protect your .htaccess file by adding this to it:
    # Protect .htaccess
    order allow,deny
    deny from all
    7. Password-protect your wp-login.php file
    We'll go into more detail on this soon...

    8. Password-protect your wp-admin directory
    Similar to #7. We'll explain it soon...

    9. Don't use 'admin'
    Don't use admin or administrator as your 'admin' user. This is a big no-no.

    10. Hide your wordpress version from the site and rss
    Add this to your theme's function.php file (can go at the bottom):
    // Remove version number
    remove_action('wp_head', 'wp_generator');
    function wpt_remove_version() {
    return '';
    add_filter('the_generator', 'wpt_remove_version');
    11. Stay up to date on versions
    This one is obvious - but stay up to date on all software on your Wordpress site.. the core, plugins, etc..

    12. Change your database prefix
    Change your database prefix from wp_ to something else

    13. Use randomly generated keys
    You can grab randomly generated keys here for your wp-config.php file and paste them in: https://api.wordpress.org/secret-key/1.1/salt/

    14. Change your display name
    After changing your admin username, go into users and make the display name different than the login name

    15. Backup, backup, backup
    Backup your site nightly if you can - and keep the files offsite!

  2. Zimm

    Zimm Member

    Oct 2, 2015
    Likes Received:
    This information is very helpful. I've never even considered hardening a WordPress installation due to the fact that they typically remain secure. That being said, of the things listed, I never use admin or administrator as a login name. Additionally, I always change my display name to something other that my login name. Mainly, I do this out of habit. Now, I do have a question. If you have multiple authors on a WP site, changing those types of permissions listed above would affect their ability to write articles and upload images and files... Correct? Or am I totally wrong about that?
  3. Joelnexus

    Joelnexus New Member

    May 4, 2017
    Likes Received:
    Such a good information. I have learned something new from you. :)

Share This Page