WordPress is the most popular CMS on the web right now. As such, WordPress installations are constantly scanned for vulnerabilities. Here are a few simple suggestions to keep the hackers out of your WordPress site.
- Keep WordPress core and plugins updated !
- Uninstall unused plugins
- Do not use “admin” as a username
- Use strong/autogenerated passwords
- Do not use “wp_” as database table prefix
- Install a security plugin (they do a lot of this for you)
- Add reCAPTCHA to login page
- Disable XML-RPC if possible
- Disable File Editing in wp-config.php if possible
- Disable PHP execution of HTTP POST to wp-content/uploads (SWCP webfarm does this server-wide)
- Log Dashboard auths (SWCP has a plugin that can do this)
- For normal WordPress operations, the MySQL database user only needs data read and data write privileges to the MySQL database; SELECT, INSERT, UPDATE and DELETE. Therefore any other database structure and administration privileges, such as DROP, ALTER and GRANT can be revoked.
- Disable HTTP access to wp-includes by adding to the top of .htaccess file
RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # BEGIN WordPress