So you have installed WordPress, you got your theme and plugins installed, you are ready to launch and create content, are you really?
One of the main mistakes I find with organizations and individual bloggers is that they do not take the time to harden the server/application environment and to set up a maintenance schedule.
There are a few things you need to do before you start creating your content.
Hardening WordPress Installation
hardening is the process of securing a system by reducing the chances of vulnerability, it’s more likely with a larger WordPress system with many functions; in principle, the fewer functionalities in a single-function system is more secure than a multipurpose one.
WordPress is an open-source project which means that with every update the details of the changes made to the source code are made public if there were security fixes then someone with malicious intent can use this information to attack any site that has not been upgraded.
Website Firewall protection
A WAF is a protection layer for your website, blocking all sorts of attacks (brute-force attempts, DDoS, SQL injections, etc) and helping it remain malware and blacklist free. This test checks if your site is using Sucuri’s CloudProxy WAF to protect your site.
Remove WordPress version
Hide the WordPress version, so it is not displayed in the generator tag.
Protect the uploads directory
If the uploads directory of a site allows the direct execution of PHP files. It is recommendable to prevent this, because someone may try to exploit a plugin, theme, and/or other PHP-based code vulnerability located in the directory sending requests to these files.
Restrict wp-content access
Block direct access to any PHP file located under the content directory of the site. You do that with a file named
Restrict wp-includes access
Block direct PHP access to any file inside
Default admin account
Make sure that you default
admin the account does not use the username e.g. admin, administrator, set a unique user name.
Database table prefix
Make sure that your DB table prefix for WordPress is not WP_ you can use any prefix name, it should be unique it makes it harder for hackers to get into your site. It checks whether your database table prefix has been changed from the default
PHP uses files named as
error_log to log errors found in the code, these files may leak sensitive information of your project allowing an attacker to find vulnerabilities in the code. You must use these files to fix any bug while using a development environment, and remove them in production mode.
There are a number of things that you need to do with security, adding an SSL certificate to your server, to serve web pages over https:// – even if your data is publicly available, it is important to have at least wp-admin secured.
You need to put a backup plan together, I use Github to keep track of my files and have git set up for that purpose for easy recovery. I also take a backup snapshot of my server weekly,
You need to set up a maintenance schedule, when backups are taken, check security logs, block IP addresses, database cleanup, redirects maintenance (301/302). Don’t expect that you can set up a WordPress site and only add content, you need to maintain the site.
This sounds like a lot of work, you are in luck there are some plugins that you can configure to do the majority of the tasks that I have mentioned to harden your site. The plugins that I recommend is iTheme Security or Sucuri Security, you just need one of them.
If you want to talk more about the maintenance plan, you can get in contact with me.
Leave a Reply