Since WordPress is such a popular platform, it’s a very large target. If you use it, you owe it to yourself and your users (and your client(s), if applicable) to implement best practices for site setup and security.
General settings #
Here are some WordPress settings you should check:
- General: Make sure Membership is disabled (“Anyone can register” box is unchecked)
- Permalinks: Make sure permalinks are set to post name
- Discussion: Under DEFAULT POST SETTINGS, uncheck “Allow people to comment…” (or require posters to be logged-in users)
If you haven’t already, install Solid Security and check out these recommended settings, especially requiring SSL and changing your table prefix.
Changing your file structure #
Check out this article for an overview of hardening techniques. The items in this section and the following ones require FTP or server-level access, and being comfortable with editing PHP code.
Out-of-the-box, WordPress has a standard file structure. Simply modifying that structure can reduce your vulnerability.
- Give WordPress its own directory: This page provides a good set of directions. It links to the following additional tasks.
- Move your
wp-content
folder - Move your
plugins
folder
Securing your error logs #
If you use error logging, it is important to make sure that 1) errors are NOT displayed in a browser on your production site, and 2) any log files are stored outside of webroot, i.e. a directory like .logs
. This requires setting the log location to the ABSOLUTE PATH of your desired directory.
Securing configuration files #
Securing your wp-config.php
file is another important step; this file usually includes important things like database credentials and file paths. This article provides some directions, but here is my preferred strategy.
- Create a directory called
.config
, one level up from webroot (usuallypublic_html
orhttpdocs
). - Copy the entire contents of
wp-config
to a new php file in that directory, with a name such as[site]-info.php
. Modify paths in that new document to absolute locations. - Change the original
wp-config
to a single line:*require_once('absolute_path_to_new_file.php');
* If you’re using Solid Security, you may need to leave a couple of its config lines in place in this file, above the require statement. - Make sure your site works, and that you can get to your dashboard.
Further concealing the details #
Even if you’ve taken all of the above steps, your configuration file still contains data that can be used by malevolent actors to hack or deface your site. Here’s a technique for making that data one step safer:
- In the
.config
directory you created above, create a file called[site]_config.ini
, and place in it the following data pairs. Brackets are purely indicative; no punctuation is required except around the password.username=[your_database_user]
password='[your_database_users_password]'
dbname=[your_database_name]
dbhost=[your_database_host, usually "localhost"]
table_prefix=[your_table_prefix] - Set its file permissions so that only the owner can write to it (i.e. 444)
- Edit the
[site]-info.php
file as follows:- Right below the lines defining the plugin and content directories (should be near the top of the file), add this line:
$creds=parse_ini_file("[site]_config.ini");
- After that, add the following lines:
/** The name of the database for WordPress */
define( 'DB_NAME', $creds['dbname'] );
/** MySQL database username */
define( 'DB_USER', $creds['username'] );
/** MySQL database password */
define( 'DB_PASSWORD', $creds['password'] );
/** MySQL hostname */
define( 'DB_HOST', $creds['dbhost'] );
$table_prefix = $creds['table_prefix']; - Remove any other references to those constants in the above section.
- Right below the lines defining the plugin and content directories (should be near the top of the file), add this line: