With the recent rise in brute-force attacks against WordPress installations, it’s now my turn to write down a checklist on things to do that will make your installation more secure.
There are different levels to secure the installation, you can do changes to the wordpress files and settings in wordpress.
You can do changes on the webserver settings, like adding .htaccess if you are running Apache or simple rules in nginx.
Let us start by backing up both database and files before we do any actual changes. This site or writer are in no way responsible if something goes wrong with your site. This is a general recommendation which should be adapted to your installation.
The things that you decide to implement on your WordPress site, do them one at a time. Then test every aspect of your site before moving on to the next step. It is hard to find and fix errors on your site if you make multiple changes at one time, you will never know what broke it.
Changes you should do to your WordPress installation
These are things to consider to do or change in WordPress, no particular order.
- Keep the amount of plugins to a minimum. If it’s not in use, remove it.
- Always update your WordPress installation as soon as possible, the same goes for plugins and themes.
- Do not use the default login name og “admin”, change it to something random.
- Use secure passwords. Combine upper/lowe case, numbers and special characters.
- Edit your wp-config.php file and change the wordpress keys. Tip is to use the WordPress Key Generator.
- Install and use some security plugins, like Better WP Security Plugin or Wordfence Security plugin.
- Do not use the default database table prefix of “wp_”, change it to something random. This is harder to do when you have a site running but not impossible.
Changes you should consider if you are using Apache
- use .htaccess to ass an IP restriction to your wp-admin directory
- or add a password to access the wp-admin diretory
Changes you should consider if you are using nginX
This code I read about at lowendtalk.com, haven’t tested it myself so the usual disclaimer (as always) is in place.
Backup, backup, test, test again, before you go live.
Add this to your nginx config file (make sure you READ it before as it must be changed to suite your site settings)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
if ( $request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } location ~ /(.|wp-config.php|readme.html) { return 444; } location ~ ^/(\d+)/$ { return 301 /?p=$1; } location = /wp-login.php { auth_basic "Restricted"; auth_basic_user_file /etc/nginx/htpasswd; include fastcgi_params; fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+.php)(/.+)$; } |
That’s a few pointers in how to secure your wordpress site, nothing that can’t be found almost anywhere on the internet.
There are even more things you can do in your work to protect the wordpress site of your life.
1 comment for “Checklist: Securing your wordpress installation”