WordPress Security

With reference to this excellent article : keeping-wordpress-secure-the-ultimate-guide

I have made a quick reference guide of the basic steps. Please read the full article to understand the full details about these settings.

To speed things up, all plugins can be found/installed by searching for them within wordpress.

WordPress Security Keys

Use wordpress salt key generator to generate unique keys:

Copy paste the result into wp-config.php files, replacing the defaults:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

wp-config.php Updates

/*Disable php error reporting*/
@ini_set('display_errors', 0);

/*Disabled online editing of files.*/

define( 'DISALLOW_FILE_EDIT', true );

/*Auto Updates*/
define( 'WP_AUTO_UPDATE_CORE', true );

The following must be added right at the end of the wp-config, after require_once(ABSPATH . 'wp-settings.php');

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );


.HTACCESS Security Steps

Add the following lines to your .htaccess file, ensure these are added after the wordpress section. IE: after : # END WordPress tags

#Prevents access to wp-config file
<files wp-config.php>
order allow,deny
deny from all

# Block access to the include-only files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
#RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# prevent people from browsing the content of your directories
Options All -Indexes

#Block access to xmlrpc.php
<Files xmlrpc.php>
order deny,allow
deny from all


Plugins to install

Disable XML-RPC

Install this plugin: disable-xml-rpc

Limit Login Attempts

Install this plugin: login-security-solution

Hide Login Page

Install this plugin: rename-wp-login

Hide wordpress version number

Install plugin : remove-version-remver


Table Prefixes

When setting up a new site, don’t use the standard wp_ table prefix, change to something random.


Leave a Reply

Your email address will not be published. Required fields are marked *