34
edits
Changes
→Security
= Security =
* Always use the latest version of WordPress
* Do not use “admin” as a user, but choose a personal user name
* check integration with third party software and services
* If site has an SSL certificate, force SSL login/admin and resolve insecurely-loaded assets. If no SSL, consider adding a secure login alternative like Facebook.
* Check that you have the latest version of all plugins
* Check that your login is secured
Install a two-factor authentication WordPress plugin like Clef or Duo Security.
Install a brute force attack prevention plugin like BruteProtect.
Check that you have strong passwords
If you’re using passwords to log in to your WordPress installation, enable HTTPS on your site and force HTTPS logins at all times.
* Check that you there’s no account named admin on your install
If you have an admin account, create a new administration account and delete admin.
* Check that you’re accessing your WordPress installation for development in a secure way
Ensure that you always use SFTP or SSH to access your server remotely. Never use FTP.
* Check that your database is secure
Make sure you’re not using the default `wp_` table prefix.
* Check that you have a secure .htaccess file
1. Secure wp-includes by adding these lines to your .htaccess file.
2. Secure your wp-config.php by adding these lines to your .htaccess file.
* Check that you have disabled file editing
Add the line `define(‘DISALLOW_FILE_EDIT’, true);` to your wp-config.php file.
* Check file permissions
wp-config.php
Desired: 400
Fallback: 440, 600, 640
uploads folder
Desired: 755
Fallback: 766, 777 (not recommended)
.htaccess files
Desired: 400
Fallback: 440, 444, 600, 640
* Delete readme.html and install.php
* Add blank index.php files where needed
wp-includes
wp-content
wp-content/plugins
wp-content/themes
wp-content/uploads
* Move wp-config.php file outside the web root folder
The wp-config.php file is a very important configuration file. It contains a lot of sensitive information about your WordPress site, like your database information for example.
WordPress will automatically look for this file in the folder above the WordPress root folder if it does not exist in the root folder. Moving this file out of the public_html folder means the file will not be accessible from the Internet.
= TEMPLATE =
= Plugin =
