| layout | title | permalink |
|---|---|---|
page |
en-US |
/items/ |
Most of the time a website running WordPress is hacked the culprit is not WordPress, but of any silly misconfiguration that could be avoided during its development. That's the idea of this project: Being a checklist of actions that you should take to increase the security of your website.
- Change Security Key (Generator provided by WordPress.org{:target="_blank"})
- Lockdown the login page for repetitive failed login (Login Lockdown{:target="_blank"} or iThemes Security{:target="_blank"} )
- Activate 2 factor authentication (Google Authenticator for WordPress{:target="_blank"})
- Use email address to login instead of username (WP Email Login{:target="_blank"})
- Rename the URL of your login page (iThemes Security{:target="_blank"} or directly on .htaccess)
- Remove login links from the theme (if there's any)
- Use a strong password contaning uppercase, lowercase, numbers, and special characters on all accounts (password generator{:target="_blank"})
- Change the passwords regularly
- Make the login error messages more generical (user/pass) (tutorial{:target="_blank"})
- Password protect the folder wp-admin (unblock only the needed files{:target="_blank"})
- Keep WordPress up-to-date
- Do not create an account with username admin. If there is any, create a new Administrator account and delete the old one
- Create an Editor account and use it solely to publish content
- Implement SSL for the WordPress admin section
- Install any plugins to check file changes (WP Security Scan{:target="_blank"}, Wordfence{:target="_blank"} or iThemes Security{:target="_blank"})
- Scan the website for viruses, malware, and security breaches
- Keep the theme up-to-date
- Delete and remove unused themes
- Download and use themes only from reputable sources
- Remove the WordPress version from the theme (tutorial{:target="_blank"})
- Keep all plugins up-to-date
- Delete and remove unused plugins
- Download and use plugins only from reputable sources
- Replace outdated plugins for alternative newer plugins
- Think twice before installing a ton of plugins
- Change the default table prefix (tutorial{:target="_blank"})
- Schedule weekly backup of the database (Backup WP{:target="_blank"}, WP DB Backup{:target="_blank"} etc. )
- Use a strong password contaning uppercase, lowercase, numbers, and special characters for the database user (password generator{:target="_blank"})
- Hire a reliable hosting provider
- Connect to your server only through SFTP or SSH
- Set all folder permission to 755 and files to 644 (accourding to the Codex{:target="_blank"})
- Make sure the wp-config.php file is not accessible by others
- Remove or block via .htaccess the files license.txt, wp-config-sample.php, and readme.html
- Disable file edit via wp-config.php by adding the following code:
define('DISALLOW_FILE_EDIT',true); - Prevent directory listing via .htaccess by adding the following code:
Options All -Indexes