WordPress is the most popular CMS on the web right now. As such, WordPress installations are constantly scanned for vulnerabilities. Here are a few simple suggestions to keep the hackers out of your WordPress site.
If any of this seems daunting, SWCP’s WordPress Monitoring and Update service may be right for you. As always, call us at 505-232-7992 or email us if you have any questions.
Low-Hanging Fruit
- Keep WordPress core and plugins updated !
- Uninstall unused plugins
- Do not use “admin” as a username
- Use strong/autogenerated passwords
- Do not use “wp_” as database table prefix
- Install a security plugin (they do a lot of this for you)
- Add reCAPTCHA to login page
- Disable XML-RPC if possible
- Disable File Editing in wp-config.php if possible
define('DISALLOW_FILE_EDIT', true);
Bonus
- Disable PHP execution of HTTP POST to wp-content/uploads (SWCP webfarm does this server-wide)
- Log Dashboard auths (SWCP has a plugin that can do this)
- For normal WordPress operations, the MySQL database user only needs data read and data write privileges to the MySQL database; SELECT, INSERT, UPDATE and DELETE. Therefore any other database structure and administration privileges, such as DROP, ALTER and GRANT can be revoked.
- Disable HTTP access to wp-includes by adding to the top of .htaccess file
RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # BEGIN WordPress