Looking for an easy checklist of how to hardening security on your WordPress site without bloated plugins? Look no further. Here is an easy list without the extra fluff, based on my own experiences. I use it for myself when helping clients. The aim is to make your installation more secure than your neighbor. ;-)
Basics
-
WordPress updated to the latest version.
-
Plugins updated to the latest version.
-
Inactivate and delete unused plugins. Don’t just leave them inactivated.
-
Always use safe passwords. Absolutly not one of these.
-
Have a clean installation: don’t leave phpMyAdmin installed (don’t try just to hide it with leaving the version in the directory name like “phpMyAdmin-4.6.4-all-languages”). Also, don’t leave any SQL-files laying around on the server.
Next level
-
If you don’t use file editing, disable it. Add
define('DISALLOW_FILE_EDIT', true);
in your theme’sfunctions.php
. -
Make sure directory listing is off, add
Options All -Indexes
to.htaccess
if you are using Apache. - Depending on your hosting sometimes PHP error reporting can be on. Add this to your
wp-config.php
ini_set('log_errors','On'); ini_set('display_errors','Off'); ini_set('error_reporting', E_ALL );
-
Create a user with administrator privileges and delete user “admin”.
-
Disable comments, use a plugin or delete the contents of
comments.php
in your theme. I am sorry, if you don’t have a lot of friends, only spam-bots will post here. -
Subscribe to a newsletter like Wordfence and shim thru it.
- Register a free account on UptimeRobot to check the site is up. Tip: Don’t just monitor the front-page of the site, try some page deeper in the hierarchy or setup a monitor for a specific keyword on the front page.
Bonus points
-
Force admin to use SSL but adding
define('FORCE_SSL_ADMIN', true);
inwp-config.php
. You can use a free a Cloud Flare-account for SSL and DDOS-protection. -
Prevent user enumeration. If all users use strong password, this is usually not a worry.
-
Disable XML-RPC if you are not using the WordPress iOS-app or any third party software.