=========
QUESTION
———
How do I secure or harden my WordPress installation?
=========
ANSWER
———
PASSWORDS
—
Always use 10-15 character random strings for passwords containing
Upper and lower case letters (AbCdEfGh …)
Numbers (01234 …)
Special Characters / Symbols ($%&*#! …)
These strong passwords should be used for the WordPress users, but also any FTP access, and Database passwords as well
When anySiteHosting.com executes a WordPress installation, we always use 15 character passwords for everything.
To help you keep track of your passwords, use a secure password management program like Agile Bits’ 1Password application
———
PLUGINS
—
BBQ: Block Bad Queries
This is an excellent plugin that protects against several popular hacks by blocking malicious query and several other types of attacks.
Exploit Scanner
A great little plugin you can run from time to time to double-check your site
Total Security
A great plugin for scanning your entire site and hosting system infrastructure
Better WP Security
An excellent plugin with several default ‘push button’ fixes setup to harden the install
———
INSTALL
—
WRITE PERMISSIONS
During install, you will have to enable Write Permissions on the wwwroot directory, but be sure to disable that write permission afterward.
—
REMOVE ALL DEFAULT POSTS
During install, WordPress will add in default posts and comments – remove these to avoid looking brand new, and therefore like perhaps you haven’t fully secured your install and may be an easy target.
—
HIDE WORDPRESS VERSION
Hackers have an easier time if they know exactly what version of WordPress you have installed – so hide it!
wp-content/{name of your WordPress theme}/header.php
Look for something like “” and remove it
wp-includes/general-template.php
Look for something around line 1858:
function the_generator( $type ) {
echo apply_filters(‘the_generator’, get_the_generator($type), $type) . “n”;
}
Place a hashtag in front of the word echo to comment it out.
—
REMOVE ALL POWERED BY WORDPRESS FOOTERS, ETC
This is an easily recognizable symbol of a new site, likely unsecured, and easily findable by hackers.
—
DELETE INSTALL AND UPGRADE SCRIPTS
/wp-admin/install.php and /wp-admin/upgrade.php
Delete these files after every installation or upgrade – they are only ever used during those processes, and are included in every new package, so there is no need to keep them.
———
WP-CONFIG
—
Move the file to a directory above the wwwroot to avoid hackers gaining access
(yes, PHP disallows this access, but a hack may be found around this, PHP may fail, etc…)
—
If Custom HTML is not absolutely necessary for your web site, try disabling it in the WP-Config by adding the following line:
define( ‘DISALLOW_UNFILTERED_HTML’, true );
———
WORDPRESS UPDATES
—
Keep WordPress Up to Date – always install the latest build of WordPress
—
Keep your plugins up to date – always install the latest build of the plug-ins
—
Rely on WordPress’ built-in Updates notification system – you can see these via the number tags on the updates button at the top of the page after logon.
———
BACKUP BACKUP BACKUP
—
We will notify you if we find your wordpress installation compromised.
We are not responsible for providing you with a restore back to the point before the site became compromised.
You can perform your own backups though to protect against this scenario:
http://www.anysitesupport.com/wordpress-how-to-backup/
———
df
=========
EXAMPLES
———
=========
APPLIES TO / KEY WORDS
———
=========
REF
———