WordPress: How to secure / harden

=========
QUESTION
——— 
How do I secure or harden my WordPress installation? 

 

=========
ANSWER
———
PASSWORDS
— 
Always use 10-15 character random strings for passwords containing 
Upper and lower case letters (AbCdEfGh …)
Numbers (01234 …)
Special Characters / Symbols ($%&*#! …)

These strong passwords should be used for the WordPress users, but also any FTP access, and Database passwords as well 

When anySiteHosting.com executes a WordPress installation, we always use 15 character passwords for everything.

To help you keep track of your passwords, use a secure password management program like Agile Bits’ 1Password application

 

———  
PLUGINS
— 
BBQ: Block Bad Queries 
This is an excellent plugin that protects against several popular hacks by blocking malicious query and several other types of attacks. 

Exploit Scanner 
A great little plugin you can run from time to time to double-check your site  

Total Security
A great plugin for scanning your entire site and hosting system infrastructure 

Better WP Security
An excellent plugin with several default ‘push button’ fixes setup to harden the install 

 

———  
INSTALL

WRITE PERMISSIONS
During install, you will have to enable Write Permissions on the wwwroot directory, but be sure to disable that write permission afterward. 

— 
REMOVE ALL DEFAULT POSTS
During install, WordPress will add in default posts and comments – remove these to avoid looking brand new, and therefore like perhaps you haven’t fully secured your install and may be an easy target.

— 
HIDE WORDPRESS VERSION
Hackers have an easier time if they know exactly what version of WordPress you have installed – so hide it!

wp-content/{name of your WordPress theme}/header.php
Look for something like “” and remove it

wp-includes/general-template.php
Look for something around line 1858:

function the_generator( $type ) {
echo apply_filters(‘the_generator’, get_the_generator($type), $type) . “n”;
}

Place a hashtag in front of the word echo to comment it out.


REMOVE ALL POWERED BY WORDPRESS FOOTERS, ETC
This is an easily recognizable symbol of a new site, likely unsecured, and easily findable by hackers.


DELETE INSTALL AND UPGRADE SCRIPTS
/wp-admin/install.php and /wp-admin/upgrade.php
Delete these files after every installation or upgrade – they are only ever used during those processes, and are included in every new package, so there is no need to keep them. 

 

 

——— 
WP-CONFIG

Move the file to a directory above the wwwroot to avoid hackers gaining access
(yes, PHP disallows this access, but a hack may be found around this, PHP may fail, etc…) 

— 
If Custom HTML is not absolutely necessary for your web site, try disabling it in the WP-Config by adding the following line:
define( ‘DISALLOW_UNFILTERED_HTML’, true ); 

 

——— 
WORDPRESS UPDATES 

Keep WordPress Up to Date – always install the latest build of WordPress

— 
Keep your plugins up to date – always install the latest build of the plug-ins

— 
Rely on WordPress’ built-in Updates notification system – you can see these via the number tags on the updates button at the top of the page after logon. 

 

——— 
BACKUP BACKUP BACKUP

We will notify you if we find your wordpress installation compromised.
We are not responsible for providing you with a restore back to the point before the site became compromised.
You can perform your own backups though to protect against this scenario:
http://www.anysitesupport.com/wordpress-how-to-backup/

 

——— 
df 

 

 

 

=========
EXAMPLES
———

 

=========
APPLIES TO / KEY WORDS
———

 

=========
REF
———

 


http://anySiteSupport.com
http://anySiteHosting.com

By | 2017-12-01T23:47:28+00:00 January 21st, 2013|Documentation, Internet/Web, WordPress|0 Comments