Security - acnorrisuk/coding-style-guide GitHub Wiki
Note: These suggestions are for keeping Wordpress secure
- Upload files via sFTP or SSH (if the hosting company allows it)
- Do not use 'admin' as a username
- Ensure your computer is free of viruses and malware
- Don't access WP over insecure networks without HTTPS.
- Use strong passwords for accounts (keep the Wordpress generated password if possible)
- Reserve administrator accounts for trusted users
- Keep Wordpress Core updated
- Keep themes and plugins updated
- Remove unused themes and plugins (e.g. Twenty Sixteen)
- Don't store old versions of themes/plugins on the server
-
Ensure wp-config permissions are set to 750 or lower and no files/folders are set to 777.
-
Restrict access to wp-config.php using .htaccess
# Restrict access to wp-config
<files wp-config.php>
order allow,deny
deny from all
</files>
- Disable plugin and theme editor from the admin area using wp-config.php
/* Disable the plugin and theme editor */
define( 'DISALLOW_FILE_EDIT', true );
- Limit logons to prevent brute force attacks
- Password protect the wp-admin folder through your host (e.g. cPanel)
- Prevent user enumeration using .htaccess (i.e yoursite.com/?author=1)
# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* http://example.com/? [L,R=302]
</IfModule>
- Remove the WP version meta tag using functions.php
function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');
- Move wp-config file up one level (outside of the WP directory)
- Change table_prefix (e.g. use something other than 'wp_')
- Ensure any user data is sanitised and escaped see Codex
- Regenerate keys periodically through wp-config (Get WP secret keys).
- Schedule files and database backups (e.g. using Updraft)
Many security plugins cover many of the above steps and may provide additional security measures e.g.
iThemes Security, Wordfence, Cerber
A more in depth checklist can be found at Wordpress Security Checklist.
Further details on Wordpress security can be found at the Hardening Wordpress page on the Codex.