WordPress security is of great importance for a website owner. Based on the previous WordPress incident that happened under our umbrella (see details here), we have prepared some general recommendations on WordPress security:

  1. Use the themes and plugins from trusted sources.
  2. Minimize the number of plugins on the website, each one has to be regularly updated and can represent an additional security risk.
  3. Change wp-login URL if possible.
  4. Limit login attempts – by default users can log in as many times as they want and don’t get locked out. This will prevent brute force attacks.
  5. Disable file editing in the WordPress admin area by setting define(‘DISALLOW_FILE_EDIT’, true); in wp-config.php
  6. Limit the number of accounts/users that have login access to the website. Use .htaccess files in /var/www/html, that will only allow posting and logging to users coming from certain IP addresses.
  7. Disable XML-RPC or block all access to xmlrpc.php file. Exploiting XML-RPC vulnerability can initiate DDoS attacks. However, this API is used by many WordPress plugins and applications, make sure that disabling it entirely won’t break your website.
  8. Disable PHP execution in directories where it is not needed, such as wp-content/uploads by creating a .htaccess file and disable malicious users from uploading files.
  9. Prevent URL based exploits by stopping requests that contain brackets (add RedirectMatch 403 [ in .htaccess file, a request containing brackets will result in Page Forbidden error).
  10. Disable PHP error reporting in wp-config.php (error_reporting and display_errors) to prevent displaying your server paths.
  11. Perform regular software updates – either make the site read-only for the php user and perform regular updates manually, which will prevent malicious file injection or enable auto-update for website, themes and plugins (define ( ‘WP_AUTO_UPDATE_CORE’, true); and define( ‘AUTOMATIC_UPDATER_DISABLED’, false ); in wp-config.php), by accepting the risk that plugins may be taken over by malicious actors, but your website will be up to date without your intervention. Major releases will still demand manual upgrades.
  12. Log out idle users automatically to prevent sessions from being hijacked by anyone.
  13. Keep regular backups of the website content.