Overview
This article details how to harden your WordPress installation. If your WordPress site has been hacked, please view the following article first:
There are a few common steps you can take to harden your WordPress installation right away. The chart below lists some basic precautions:
Stuff to look out for | Details |
---|---|
Secure connections |
|
Keeping software up to date | |
Removing old software |
|
Checking logs and files |
|
Keep backups |
|
This article describes some of the above in further detail.
Add a named WordPress admin user
Make sure your admin user is not named admin.
If your admin user is named ‘admin’, create a new user with some other name and give it admin privileges. After you have confirmed that this account works, log in as this account and return to the left-hand users tab and delete the account user named ‘admin’.
This is very important as ‘admin’ is the most commonly attacked username. View the following article for further information:
Use the HTTPS protocol for your site
To prevent your password from being transmitted in the clear, you must add an SSL certificate to your site. This enables you to connect using an encrypted and secure connection. View the following article for details on how to use an SSL certificate with WordPress.
Removing old software
Even if a plugin or theme is inactive, it could still pose a security risk. If you're not using a theme or plugin, make sure to delete it from your web server. Plugins and themes are located in the following directory. Make sure to change the username to your Shell user.
/home/username/example.com/wp-content/
Inside of that /wp-content folder, navigate into the /plugins or /themes directory and delete any that you do not use.
The same goes for extra installs of WordPress. For example, it's possible that a test site was created under example.com/wptest. Or maybe you had an old site but no longer use it. In any case, if you have another WordPress install that you're not using, delete it.
Finally, if you have any other applications such as Joomla, Drupal, or Moodle installed under your user that you're not using, make sure to remove those as well.
The bottom line is that if you're not using the software installed under your user, it's best to remove it. Only keep what you need.
Protect your site with an .htaccess file
You can use an .htaccess file to further protect your site. For example, the wp-config.php should never be publicly accessible. To protect this file, add the following to an .htaccess file in your site's directory where all other WordPress files are located:
<Files wp-config.php> order allow,deny deny from all </Files>
There are several other things you can do with an .htaccess file to protect your site. View the following article for details:
See also
- How do I use an SSL certificate with WordPress?
- WordPress wp-cli overview
- The different types of DreamHost users
- Passwords overview
- SSL certificates overview
- Automatic Updates for DreamHost WordPress installations
- Viewing your access and error logs via SFTP
- Viewing and examining your error log via SSH
- WordPress backup tools
- .htaccess overview
- UNIX commands— Changing permissions