WordPress Security Hardening

WordPress is not a very secure application out of the box. It is also the most widely used CMS which is why it is highly targetted by hackers.

As such, it is very important to harden and secure your WordPress installation.


1. Updating WordPress

It is very important to ensure that your WordPress installation, plugins and themes are constantly updated to the latest version.

This is because older versions of WordPress, plugins and themes have known security loopholes or vulnerabilities which can be exploited by hackers to take control of your websitesss.

Newer version of WordPress has an auto-update feature which will kick in within 24 hours after a new update is released. 

If you use our Installatron Application Installer to install your WordPress, you will also have the option to enable auto-update for all WordPress plugins and themes. 


2. Pirated or Nulled Plugins and Themes

Never ever download and use any pirated or nulled WordPress plugins or themes as there are always a catch somewhere. 

You can read more about this in one of Sucuri's blog post: Fake jQuery Scripts in Nulled WordPress Plugins


3. Securing "wp-admin" and "wp-login.php"

Adding server-side password protection to "wp-admin" and "wp-login.php" adds a second layer of protection around your WordPress admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files. Many WordPress attacks are carried out autonomously by malicious software bots.

You can add this server side password protection in your cPanel --> Directory Privacy. 

If you have a static IP address from your ISP or if you use a VPN, you can block all access to the "wp-admin" and "wp-login.php" file except from your own static IP. 

Firstly, create a .htaccess file within your "wp-admin" directory and including the following:-

Order deny,allow
Deny from all
Allow from X.X.X.X

Then, add the following to the main .htaccess file in your WordPress root directory:-
# protect the wp-login.php file
<files wp-login.php>
Order deny,allow
Deny from all
Allow from X.X.X.X
</files>

Where X.X.X.X is your static IP address from your ISP. 

Note: To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.


4. Securing "wp-includes"

A second layer of protection can be added where scripts are generally not intended to be accessed by any user.

You can do so by adding the following to the main .htaccess file in your WordPress root directory:-
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Note that this won't work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.

Note: To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.


5. Securing "wp-config.php"

The "wp-config.php" is an important file which contains login credentials to your WordPress database. 

You can deny access to anyone surfing for it by adding the following to the main .htaccess file in your WordPress root directory:-
# protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

Note: To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.


6. Disable File Editing

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution.

Placing the following line in the first line of "wp-config.php" is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users:-
define('DISALLOW_FILE_EDIT', true);


7. Disable Directory Browsing

There should be no legitimate reason for anyone to be able to browse through your website directory in the open web. 

You can disable directory browsing by adding the following to the main .htaccess file in your WordPress root directory:-
# disable directory browsing
Options All -Indexes

Note: To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.


8. Securing ".htaccess"

The .htaccess file is a very important file which can be used to secure your website but also to cause problems with it. 

As such, you should deny access to anyone surfing for it by adding the following to the main .htaccess file in your WordPress root directory:-
# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

Note: To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.


9. Delete Inactive Plugins and Themes

WordPress plugins and themes which are inactive can still be used by hackers to hack your website. 

As such, if you have any inactive plugins or themes that you do not plan to use, delete them from your WordPress installation lest they become a security risk to your website. 


10. Choose Your Plugins and Themes Carefully

You must be very careful when choosing your plugins and themes to ensure that they are from reputable source only. 

There are many plugins and themes which contains malware or adware even though they are not pirated or nulled like point #2 above. One example is SweetCAPTCHA which distributes Adware with their plugin. 

There are also a lot of WordPress themes which are no longer maintained by their developers and as such many loopholes within them are not patched. 

If you do not choose the plugins and themes that you use carefully, you will fall prey to a bad plugin or theme which can compromise your whole website even if you diligently follow all the steps stated above. 


Was this answer helpful?

 Print this Article

Also Read

Speed Up WordPress with LiteSpeed Cache

WordPress performance can be greatly improved with LiteSpeed Cache especially if you have a high...