We have implemented different security levels on our servers to keep your websites safe. However, as we mentioned in our Malware removal rules and security standards article, the security of your website is a 2-way street: WPX & YOU. Here we will discuss the WordPress security tips that you should implement on your sites.
WordPress Security practices that you should use.
Limit access:
Reduce the number of people who have administrative access to your WordPress site to a minimum. You can also reduce the number of possible entry points. This can be done by only installing web applications that you need and use.
Stay Up-to-Date:
Do your best to stay up-to-date with your WordPress site, including plugins, themes, and the PHP version. The latest version of WordPress is always available from the main WordPress website. Official releases are not available from other sites—never download or install WordPress from any website other than https://wordpress.org.
Also, you can just install WordPress with a few clicks from the WPX Control Panel. This way you can be sure that the source of your installation is not compromised.
Trusted Sources:
Secure your Working Environment:
Do not download plugins and themes from sources that are not trusted. Googling for a free version of a premium plugin is asking for trouble. Malicious people and organizations distribute what are known as ‘nulled’ plugins and themes that come bundled with malicious code and malware.
Make sure that your local computer, browser, and routers are up to date, and free of any spyware, malware, and virus infections. Consider using tools like NoScript (or disabling JavaScript/flash/java) in your browser and VPNs to encrypt your online communication when moving around and using different public Wi-Fi hotspots. You should also secure your mobile devices and install any updates as soon as they become available.
Always use strong passwords:
The purpose of your password is to make it difficult for other people to guess and to help prevent a brute-force attack. The key to making a strong password is making it complex, long, and unique. It is recommended to use a password generator for all passwords or create passwords that would only make sense to you personally.
If you want to use reliable software that generates and stores all of your passwords for you, we recommend using KeePass. All you have to do is download the application and create a database file that will take care of the rest of your password by entering the file using a master password.
Protect your WP-admin area:
You can change the wp-admin URL that you use to log in to your WordPress dashboard. You can use a plugin such as WPS Hide Login to change the login URL.
Additional WordPress security tips.
If you are technically familiar with WordPress and would like to know some additional security measures, then the following points will help you.
WP-Includes:
A layer of protection can be added to the PHP scripts located in the WP-includes directory, Those scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F, L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
WP-Content/Uploads:
The uploads directory is the one directory that will need to be writable by the webserver. It’s where all files are uploaded remotely. If you want to prevent PHP execution in this directory, you can do this by placing a .htaccess at the root of /UPLOADS using:
#Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
deny from all
</Files>
Disable File Editing:
Disabling file editing within the WordPress dashboard is also recommended. WordPress has a constant that disables this editing via the wp-config.php file. Append the following two lines to the end of your wp-config file:
# Disable Editing in Dashboard
define(‘DISALLOW_FILE_EDIT’, true);
If you get stuck with anything discussed on this page, please get in touch with the WPX Support Team via live chat (use the bottom right-hand widget) and they will respond and help within 30 seconds or less.