Since WordPress is such a popular platform, it’s a very large target. If you use it, you owe it to yourself and your users (and your client(s), if applicable) to implement best practices for site setup and security.
General settings #
Here are some WordPress settings you should check:
- General: Make sure Membership is disabled (“Anyone can register” box is unchecked)
- Permalinks: Make sure permalinks are set to post name
- Discussion: Under DEFAULT POST SETTINGS, uncheck “Allow people to comment…” (or require posters to be logged-in users)
If you haven’t already, install Solid Security and check out these recommended settings, especially requiring SSL and changing your table prefix.
Changing your file structure #
Check out this article for an overview of hardening techniques. The items in this section and the following ones require FTP or server-level access, and being comfortable with editing PHP code.
Out-of-the-box, WordPress has a standard file structure. Simply modifying that structure can reduce your vulnerability.
- Give WordPress its own directory: This page provides a good set of directions. It links to the following additional tasks.
- Move your
wp-contentfolder - Move your
pluginsfolder
Securing your error logs #
If you use error logging, it is important to make sure that 1) errors are NOT displayed in a browser on your production site, and 2) any log files are stored outside of webroot, i.e. a directory like .logs. This requires setting the log location to the ABSOLUTE PATH of your desired directory.
Securing configuration files #
Securing your wp-config.php file is another important step; this file usually includes important things like database credentials and file paths. This article provides some directions, but here is my preferred strategy.
- Create a directory called
.config, one level up from webroot (usuallypublic_htmlorhttpdocs). - Copy the entire contents of
wp-configto a new php file in that directory, with a name such as[site]-info.php. Modify paths in that new document to absolute locations. - Change the original
wp-configto a single line:*require_once('absolute_path_to_new_file.php');
* If you’re using Solid Security, you may need to leave a couple of its config lines in place in this file, above the require statement. - Make sure your site works, and that you can get to your dashboard.
Further concealing the details #
Even if you’ve taken all of the above steps, your configuration file still contains data that can be used by malevolent actors to hack or deface your site. Here’s a technique for making that data one step safer:
- In the
.configdirectory you created above, create a file called[site]_config.ini, and place in it the following data pairs. Brackets are purely indicative; no punctuation is required except around the password.username=[your_database_user]
password='[your_database_users_password]'
dbname=[your_database_name]
dbhost=[your_database_host, usually "localhost"]
table_prefix=[your_table_prefix] - Set its file permissions so that only the owner can write to it (i.e. 444)
- Edit the
[site]-info.phpfile as follows:- Right below the lines defining the plugin and content directories (should be near the top of the file), add this line:
$creds=parse_ini_file("[site]_config.ini"); - After that, add the following lines:
/** The name of the database for WordPress */
define( 'DB_NAME', $creds['dbname'] );
/** MySQL database username */
define( 'DB_USER', $creds['username'] );
/** MySQL database password */
define( 'DB_PASSWORD', $creds['password'] );
/** MySQL hostname */
define( 'DB_HOST', $creds['dbhost'] );
$table_prefix = $creds['table_prefix']; - Remove any other references to those constants in the above section.
- Right below the lines defining the plugin and content directories (should be near the top of the file), add this line:
