Save 50% Instantly
Use Coupon Code LHSPECIAL
Hurry Up!
Offer Expires in

Portal Home > Knowledgebase > Technical Support > Website / Database / Email > WordPress > WordPress Security Checklist


WordPress Security Checklist




WordPress Security Checklist
You have decided to use WordPress to create/manage your site. The below steps are important if you want to protect your site and content. It is recommended that the below steps are followed.


  • Keep your Wordpress/website Backed up
        We are not responsible if your site is not backed up. If your site is important to you then you should create a backup before and/or after modifications. The best practice is to have a local copy on your PC before making any changes.

  • Update you WordPress!Alot of users do not keep their WordPress site up to date and are at risk to get compromised/hacked. A very easy step to follow to add an extra layer of security is the update your WordPress. There is a reason why WordPress is updating their software since there is always new security issues / bugs that need to be fixed. Before you update your WordPress always backup your site before making any changes as some users are using old themes that might cause issues after an update. Tp update your WordPress, login to your cPanel account and scroll to the bottom until you see a section called "Softaculous Apps Installer" there will be a notification if there are any updates for WordPress or any plugin's you have installed (ex: Joomla, Drupal).

 

  • Use strong Passwords

          Do not use dictionary words or easy passwords (ex: password, iamgod, pass123). Make sure they are over 12 characters long using alphanumeric characters (ex: dCgXf245&fh).


  • Do not use "admin" for any user

        Create a new admin user account using a name other then "ADMIN" and remove the "admin" named user account.


  • Avoid Old/Outdated/unsupported WordPress themes

       Alot of free WordPress themes are either no longer supported/updated by the creator and have high risk of being compromised.
       If your site is important you should do some research for a theme that has support and from a trustworthy supplier.
       Most of these themes are paid ones which are widely available. Take the time to research and find out from the vendor
       what support is included.


  • Change Your user account database name

        When you create a user, WordPress creates a data base using the username (user_yourusername). This will also become your default author page.(ex: http://yourdomain.com/author/username/)
        You can change this using a tool called phpMyadmin which is a tool to modify the database name which will then change the URL author page. This makes it harder for someone attempting to figure out what account name is used.


  • Reduce login attempts to your site

        This can be reduced and should deny hackers fom having too many attempts to crack your password.


  • Disable File Editing

        Once you have are done modifying your theme or site, you should insert a code in "wp-config.php" file with

         define( ‘DISALLOW_FILE_EDIT’, true );


        This will help prevent code execution from the dashboard if your account becomes compromised.



  • Disable direct access to wp-login.php


        Use the below .htaccess code to stop direct automated attempts to log in to your site:
        NOTE: Replace example.com below with your domain (leave the ?. before it and everything else), the URL may vary depending on your wordpress URL.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?.example.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>


  • Two Step Authentication:


       WordPress also has a two step Authentication method to login to your page. Follow the URL which WordPress has the steps for to enable this:
       http://en.support.wordpress.com/security/two-step-authentication/


  • Additional WordPress Tools:


http://wordpress.org/plugins/all-in-one-wp-security-and-firewall
http://wordpress.org/extend/plugins/wp-security-scan
http://wordpress.org/extend/plugins/ultimate-security-scanner



For ANY questions making any of the above changes you can submit a ticket in your client portal for our support team.



Was this answer helpful?

Print this Article Print this Article


Powered by WHMCompleteSolution