08.28.19
by

WordPress Security


Upload the WordPress files and folders in a directory with some other name that is hard to predict, like cp web or here or anything else. A trick can be done to hide this directory to make it appear as if it is installed in the home directory. Go to Settings-> General and delete the sub-directory name from the field site address(URL). The site address is the perceived address, and the WordPress address(URL) is the physical address. Copy the .htaccess and index file on the root of the domain, edit them and change the last line showing:

require(./wp-blog-header.php)

require(.//wp-blog-header.php)

Changing the table prefix while creating the configuration file makes it more challenging for hackers.

Put unique phrases in the salts of the wp-config.php file. It can be generated using WordPress

http://api.wordpress.org/secret-key/1.1/salt/

Don’t use admin as the user name while setting up your site; admin is the default user, so every hacker might want to attack this user. So choose another name apart from admin.

It is essential to secure the wp-config.php file and the wp-content directory; you can delete the rest of the files and upload them again. All the uploaded files are stored in the wp-content folder, and database connectivity is saved in the wp-config.php file.

Use a WordPress firewall.

Enforce strong WordPress password policies.

Install a file integrity monitoring plugin

Keep a log of all changes that happen on WordPress

Keep WordPress core, all the plugins, themes and software you use up to date.

Use SSL Certificate (Https)

  • Encrypts the traffic between the web server and the web browser
  • Certificate Authority (CA): It contains cryptographic proof that an entity trusted by a browser can vouch for that website’s identity. It has built-in security features that make it challenging to spoof.
  • Three different types of certificates can be obtained: Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV)
  • Let’s Encrypt, a non-profit certificate authority run by Internet Security Research Group (ISRG), provides everyone HTTPS certificates at no charge. It’s the largest CA on the Internet. The certificate is valid for 90 days but uses ACME protocol, allowing automatic renewal.