Age of Article Warning:
This article was originally published 46 months ago. The tips and techniques explained may be outdated, or information may longer be applicable. Please consider this when viewing the below content.

A secure WordPress website is essential. What can be done to improve security on your WordPress website? How do you harden WordPress and add extra security?

These are questions you should be asking!

As anyone who has experienced hacking will know… there’s probably nothing more annoying than visiting your website, only to find that someone has hacked in and either wrecked it, or plastered rubbish all over.

I guess worse even still is if it has been hacked and you don’t even know it- something sinister could be running in the background.

Of course it’s not the end of the world, though it may seem like it at the time! So as always PREVENTION is better than the CURE.

But if you feel like it may be too late already then run your website through a quick scan: sitecheck.sucuri.net/scanner/.

If it comes back clean, then hooray. Be sure to click also on the tab “Website details” and if you see the “WordPress internal path: …” error then you need to apply a quick fix to the php.ini file in the root directory of your website — sucuri.net/wordpress-internal-path-warning. Be sure to recheck Sucuri after you upload the php.ini file in the public_html directory of your website.

In case the “fix” doesn’t work- make sure you upload/ftp the php.ini file in ASCII mode. You may need to add an extra line to the file so that it says:

display_errors=Off
error_reporting=0

If this still hasn’t fixed the error, you can try adding the following to the php file that has been identified as causing the error:

error_reporting(0);

Ok so your website looks okay so far. Let’s make sure it’s safer than most sites out there.

How to secure WordPress tips

 

1. What PHP handler is your hosting service running?

Read this article boomshadow.net/tech/php-handlers/ and then check with your host.

My suggestion would be suPHP – it works well with WordPress and is a good balance between speed and security. And it will solve most of those permission issues with files on your site. You do NOT want to be changing permissions to 777.
If you are concerned about your website loading speed then I am putting together a blog post soon that will provide some excellent tips. I will update here when that article is live.

 

2. Do not use the default “admin” login!

When you use the default admin username of “admin” you have given away half of the security for accessing your WordPress dashboard. Now all they need to do is guess the password using brute force.

Let’s remove this handout. When you first install WordPress, change the default username to something unique other than “Admin”. Alternatively if you are already running WordPress, you would want to login to the Dashboard, create a new user with a unique name, give that user admin privileges, then log out, and log back in as the new user. Now delete the “Admin” username.

Now there is another important step to do. Bots scour websites all the time and are looking for author tags. If they can access your username, then once again they have half the equation for hacking in. So what you want to do is go to Users>Your Profile and create a nickname, or a first name. Then select “Display name publicly as…” and choose from the dropdown, something that is NOT your username.

And one more thing to do here, for even more added security. Install Login Lockdown plugin- this will lockout IPs after a limited number of failed attempts to access your dashboard.

 

3. Use a different database prefix than “wp_”

This one is only for initial installations. DO NOT do this on an existing WordPress website, or you will break it! When you first install WordPress you have the option to change the default database prefix. So instead of “wp_” change it to a unique and less obvious prefix. Don’t make it easy to guess the names of all your database tables.

 

4. Stay updated and remove version information

Sometimes it is easier not to go ahead and download and install every single update that comes along for WordPress, WordPress plugins and WordPress themes. However there are some instances where it pays to stay up to date.

A good example of this is when an exploit is found in a plugin, then bots scour looking for instances of this outdated plugin, find yours and then start mucking up your site.

First thing you want to do is remove version information when you can, to stop this happening. How do you do that? Well simple code in the childtheme’s function.php file will do it

//remove wordpress version
function dtwd_wp_version_remove() {
return '';
}
add_filter('the_generator', 'dtwd_wp_version_remove');

5. Reduce Plugins

One of the greatest appeals for using WordPress is the ease with which it can be modified. There are many combinations of plugins and themes that can be used to improve your website.

However there is something important to consider here. Each time you add a new plugin or a new theme onto your website, you are increasing risks. Not only can plugins be insecure, but also they can slow down your website to a crawl.

So try to keep only essential plugins installed on your WordPress website.

 

6. Regular Backups

You have probably heard it said a million times “Have you backed up your website?” Well I am going to say it again. You need to assume that at some point in time, something is going to go wrong.

Save yourself the pain of having to start from scratch, and backup your site regulary. There are plenty of options available. At least backup using the WordPress backup in your server cpanel.

 

7. Relocate the wp-config.php file outside of the public area.

This file contains important database information, so you don’t want it getting into the wrong hands. So here’s a really simple, yet very effective tip.

Once you have made any necessary modifications to the wp-config.php file, such as increasing wp memory limit, reducing number of stored revisions, enabling SSL login if available and adding cache true line for W3 Total Cache, move the wp-config.php file up one directory above the public_html folder.

Just remember to move it back before any major WordPress upgrades. Not sure if you are comfortable with this moving around, then at least add this into your .htaccess file:

//protect the wp-config
<Files wp-config.php>
order allow, deny
deny from all
</Files>

If you have an SSL installed on your website, then add the following code into the wp-config.php:

//ssl for admin
define('FORCE_SSL_LOGIN', true);

8. Add some htaccess protection

There are many changes that can be made to improve security using the .htaccess file. Some ideas here are to prevent the listing of all items in a directory, prevent access to the .htaccess file, and also deny the install file.

# Disable directory listings
Options -Indexes
# PROTECT htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
# PROTECT install.php
<Files install.php>
 Order Allow,Deny
 Deny from all
 Satisfy all
</Files>
# PROTECT WP-CONFIG
<Files wp-config.php>
order allow,deny
deny from all
</Files>

9. Suggest to the search bots that they only look at the good stuff

Google and other search engines, could crawl through your content and expose some URLs that you’d rather stay hidden. You can create a simple text file, called robots.txt

In it you want to tell the search engines what they should not peruse:

User-agent: *

Disallow: /cgi-bin/
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Allow: /wp-content/uploads/
Disallow: /*.php$
Disallow: /*.js$
Disallow: /*.inc$
Disallow: /*.css$

10. Ensure Timthumb scripts are up to date

There has been a lot of concern over the safety of using tim thumb scripts on your website. In fact several websites have been hacked as a result of out-of-date versions.

Protect yourself straight away by updating to the latest version. Don’t leave the holes in your website for someone to walk in and create a big disaster.

If you would be more comfortable with a more automated option here, then you should probably check out the Timthumb Vulnerability Scanner plugin.

 

11. Disable editing of PHP files in WordPress Dashboard

If you are ok with editing your PHP files remotely using FTP, then consider disabling the option for administrators to edit plugin and theme PHP files in the WordPress Dashboard.

If someone does manage to login with your admin username and password, then this is often the first place an attacker goes, to execute code. Add the below code to your wp-config.php file to make WordPress disable editing from Dashboard:

/* disable editing of files in dashboard editor */
define('DISALLOW_FILE_EDIT', true);

12. Use a security plugin

There are many ways to manage security on your WordPress website, and using plugins can be a quick and easy way to get started.

A good simple plugin that enables some protection is Secure WordPress

 

So there’s some great tips for how to secure WordPress to get you started, what are your tips for keeping your website safe?

How to secure WordPress tips was last modified: September 6th, 2016 by David Tiong
How to secure WordPress tips