I just tranlated slides from my WordCamp speech to English (it is the first version of translation, there may be many grammar mistakes). You can find many security tips there.
@picwellwisher12pk I don’t like to move wp-config up. This action prevents reveal information when server stops to interpret PHP code and shows source code. There was a bug in Plesk years ago that allows to show source code - this is the origin of this technique. If you move wp-config up, you need to allow scripts to access directories outside web. It may pose a greater risk.
Changing wp_ prefix is good advice, but it prevents only against simple bots and script kiddies. If SQL injection is possible, you can get correct prefix easily. Good practice is to block queries including “union” and other suspicious SQL commands.
Awesome advice @smitka. And thanks for translating your presentation and sharing it here. There’s a lot of good WP security advice in it. I really love slide 13 and 15 and how you point out the misorder of priorities in relation to business impacts.
Hi, the tutorial on wpbeginner looks very good. Pay atention to the “Admin Ajax Issue” section to allow admin-ajax.php. Some plugins also use admin-post.php file.
There are three very good plugins:
WordFence
iThemes Security
All in one WP security and firewall
My favourite one is WordFence. It has some interesting features:
Limiting (not blocking) some traffic
Notification when plugins/themes update available
File change detection with possibility to roll back changes
On the other hand iThemes provides pretty good url filtering and has ability to change wp-admin slug.
I really like combo of WordFence + some rules from .htaccess generated form iThemes Security + rules to block queries contain “wp-config.php” and to block harvesting user names.
I usually don’t use security plugins on my own servers - I block login and scanning attempts with fail2ban and use WAF (naxsi) to enhance overall security (but it is quite hard to maintain rules).
Hi @AmitMojumder – security is a very broad topic. If there’s ever anything in particular you’d like to see on the WordPress channel, let me know and I’ll feed it back to the authors
@mginop thanks for the heads up, I’ve fixed the smart quotes!
The best way to secure your Wordpress website is not by using a plugin but by denying access to certain directories through htaccess file and your robots.txt file. Also choose a secure hosting provider.
I added the bit about the htpasswd to my htaccess, but now scheduled posts don’t publish automatically anymore. I really need the password as the site is under constant attack. Any suggestions?
Does the order of the text in the .htaccess matter? I followed a few howto’s like the one you wrote and added instructions to protect wp-config.php, install.php, readme.html, php_error.log, as well as the following:
# Block URL based exploits RedirectMatch 403 \[
# Ban double slashes in all URLs RewriteCond %{THE_REQUEST} ^[A-Z]+\ /(([^/\ ]+/)*)/+([^\ ]*) RewriteRule ^ /%1%3 [L,R=301]
The above was added to the bottom of the .htaccess after the caching settings added by W3TC. In my wp-config.php I activated PHP error logging by adding: