6 rules for a good basic WordPress security

Share Button

6 rules for a good basic WordPress security

I feel that I must mention the following basic pointers, because it turns out that common sense is not all that common.

You are a smart Internet user:

• Browser is updated to the latest version
• Java is updated to the latest version
• Adobe Flash is updated to the latest version
• You’ve got a working anti virus. (ESet, Kaspersky or AVG are all good options)
• Never use free themes downloaded from a source other than the original creator. In other words never use a theme you downloaded from a torrent. You can bet it will be riddled with backdoors and malicious code.

1. When installing WordPress, avoid using “admin” as the username, use anything else, because we’re going to use that username as a hacker “honey pot” which we’re going to set up later.

If you’re working on an existing WordPress site where the administrator login user is already set to “admin”, then go to WP Dashboard > Users menu and create a new user with Administrator privileges, logout then login with the new user, and change old “admin” user role to “No role for this site”.

2. Please use complicated passwords with digit(s) and special character(s)!

3. Disable Pingbacks, Trackbacks and Blog Notifications in Settings > Discussion

4. Verify File Permissions after successful WordPress installation Folder

/ File Chmod /wp-content/ 755 /wp-content/themes/ 755 /wp-content/plugins/ 755 /wp-admin/ 755 /wp-includes/ 755 wp-config.php 400/440/600/640

• All directories should be 755 or 750.
• All files should be 644 or 640.

Exception: for paranoid security you may set wp-config.php permissions to 400 in order to prevent the file to be overwritten once your configuration is fully set, but the downside is WordPress can no longer write to the file either. Normally you’ll use 600, or 640 for some shared hosting environments.

To view and change file permissions using WinSCP, simply right-click on a directory or file, and choose Properties, then enter the appropriate digits in the “Octal” field. File permissions can also be changed using the File Manager in cPanel.

5. It’s good practice to Delete themes and plugins that you don’t use, their potential undiscovered vulnerabilities may be exploited in the future, even if the plugin is not “Active”!

6. Disable file editing from within WordPress. Add the following to wp-config.php file just before the “That’s it stop editing” comment. This will disable the theme editor or plugin editors.

define(‘DISALLOW_FILE_EDIT’, true);

I also recommend adding these for overall WordPress performance, but your settings may vary, this should suit the average site plenty.

define(‘WP_MEMORY_LIMIT’, ‘256M’);
define(‘WP_MAX_MEMORY_LIMIT’, ‘512M’);
define(‘WP_POST_REVISIONS’, 20);
define(‘AUTOSAVE_INTERVAL’, 300 );

In WordPress 5.2.0 a Recovery Mode was introduced, this is where the recovery email link will be sent if ever WordPress goes haywire due to some fatal error.

define(‘RECOVERY_MODE_EMAIL’, ‘youremail@address.com’);

This is just a security start… but it is a good start!

Be Sociable, Share!
    This entry was posted in Blogging, Hosting, Security. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.