WordPress security is of great importance for a website owner. Based on the previous WordPress incident that happened under our umbrella (see details here), we have prepared some general recommendations on WordPress security:
- Use the themes and plugins from trusted sources.
- Minimize the number of plugins on the website, each one has to be regularly updated and can represent an additional security risk.
- Change wp-login URL if possible.
- Limit login attempts – by default users can log in as many times as they want and don’t get locked out. This will prevent brute force attacks.
- Disable file editing in the WordPress admin area by setting define(‘DISALLOW_FILE_EDIT’, true); in wp-config.php
- Limit the number of accounts/users that have login access to the website. Use .htaccess files in /var/www/html, that will only allow posting and logging to users coming from certain IP addresses.
- Disable XML-RPC or block all access to xmlrpc.php file. Exploiting XML-RPC vulnerability can initiate DDoS attacks. However, this API is used by many WordPress plugins and applications, make sure that disabling it entirely won’t break your website.
- Disable PHP execution in directories where it is not needed, such as wp-content/uploads by creating a .htaccess file and disable malicious users from uploading files.
- Prevent URL based exploits by stopping requests that contain brackets (add RedirectMatch 403 [ in .htaccess file, a request containing brackets will result in Page Forbidden error).
- Disable PHP error reporting in wp-config.php (error_reporting and display_errors) to prevent displaying your server paths.
- Perform regular software updates – either make the site read-only for the php user and perform regular updates manually, which will prevent malicious file injection or enable auto-update for website, themes and plugins (define ( ‘WP_AUTO_UPDATE_CORE’, true); and define( ‘AUTOMATIC_UPDATER_DISABLED’, false ); in wp-config.php), by accepting the risk that plugins may be taken over by malicious actors, but your website will be up to date without your intervention. Major releases will still demand manual upgrades.
- Log out idle users automatically to prevent sessions from being hijacked by anyone.
- Keep regular backups of the website content.