Security - acnorrisuk/coding-style-guide GitHub Wiki

Note: These suggestions are for keeping Wordpress secure

Logins

  • Upload files via sFTP or SSH (if the hosting company allows it)
  • Do not use 'admin' as a username
  • Ensure your computer is free of viruses and malware
  • Don't access WP over insecure networks without HTTPS.
  • Use strong passwords for accounts (keep the Wordpress generated password if possible)
  • Reserve administrator accounts for trusted users

Keep Up To Date

  • Keep Wordpress Core updated
  • Keep themes and plugins updated
  • Remove unused themes and plugins (e.g. Twenty Sixteen)
  • Don't store old versions of themes/plugins on the server

Restrict Access

  • Ensure wp-config permissions are set to 750 or lower and no files/folders are set to 777.

  • Restrict access to wp-config.php using .htaccess

# Restrict access to wp-config
<files wp-config.php>
order allow,deny
deny from all
</files>
  • Disable plugin and theme editor from the admin area using wp-config.php
/* Disable the plugin and theme editor */
define( 'DISALLOW_FILE_EDIT', true );
  • Limit logons to prevent brute force attacks
  • Password protect the wp-admin folder through your host (e.g. cPanel)

Obfuscation

  • Prevent user enumeration using .htaccess (i.e yoursite.com/?author=1)
# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} ^author=([0-9]*)
	RewriteRule .* http://example.com/? [L,R=302]
</IfModule>
  • Remove the WP version meta tag using functions.php
function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');
  • Move wp-config file up one level (outside of the WP directory)
  • Change table_prefix (e.g. use something other than 'wp_')

Other Measures

  • Ensure any user data is sanitised and escaped see Codex
  • Regenerate keys periodically through wp-config (Get WP secret keys).
  • Schedule files and database backups (e.g. using Updraft)

Plugins

Many security plugins cover many of the above steps and may provide additional security measures e.g.

iThemes Security, Wordfence, Cerber

A more in depth checklist can be found at Wordpress Security Checklist.

Further details on Wordpress security can be found at the Hardening Wordpress page on the Codex.

⚠️ **GitHub.com Fallback** ⚠️