How to harden your WordPress installation

There are a few common steps you can take to harden your WordPress installation right away. The chart below lists some basic precautions:

This article describes each of the above in further detail.

One of the most important steps you can take is to always use strong passwords for all of your user logins. These include:

• Website user. This is the user you use to log into your server via FTP, SFTP, or SSH.
• MySQL user. This is the user that has access to your database.
• WordPress user. This is the username you use to log into your WordPress site.

For more information about creating secure passwords, view the following article:

• Passwords

A secure password is a good start. It's also a good idea to use different usernames for your logins. For example, your SFTP username should be different from your MySQL database username which should be different from your WordPress username.

Additionally, it's also a good idea to only host your WordPress site under a specific/unique username. In your panel, you can assign a single username to as many domains as you like. View the following article for details:

• One User Per Domain Policy

However, if that user is compromised, all sites under that user are then vulnerable. So, it's recommended to create a new SFTP user and assign that user only to your specific WordPress site.

If you then create a new site, create a new user. This will ensure all data is separated on the web server.

Make sure your admin user is not named admin.

If your admin user is named ‘admin’, create a new user with some other name and give it admin privileges. After you have confirmed that this account works, log in as this account and return to the left-hand users tab and delete the account user named ‘admin’.

This is very important as ‘admin’ is the most commonly attacked username. View the following article for further information:

• WordPress user roles

When you originally create a website, connections to the site are done using the HTTP protocol which is unencrypted. This means that if you're logging into your WordPress site using HTTP://example.com, your password is sent in plain text. This is also the case if you're logging into your database via phpMyAdmin.

To prevent your password from being transmitted in the clear, it's recommended you add an SSL certificate to your site. This adds an SSL certificate that enables you to connect using HTTPS (note the s at the end). When you connect using HTTPS, your connection is encrypted and safe from anyone snooping on your network.

View the following article for details on how to use an SSL certificate with WordPress.

• How do I use an SSL certificate with WordPress?

You must connect to your web server from time to time to make adjustments to your site or troubleshoot an issue. There are a few ways to connect.

Unencrypted options (Not Recommended)

• FTP - You can use any FTP client to connect to your server over port #21. This is unencrypted so all information is sent in plain text for anyone to see.

Encrypted options (Recommended)

• SFTP - Most clients that support FTP also support SFTP over port #22. This is a secure way to connect to your server and is always recommended.
• SSH - This is a way to connect to your server using a terminal program such as PuTTY for Windows.
• File Manager - This client is available from within the DreamHost panel.

It's very important to continually update your software. Updates to software is often done to resolve security issues. The more up-to-date your software is, the less vulnerable it is. This means keeping your WordPress version, plugins, and themes up to date.

• Upgrading WordPress
• Automatic Updates for DreamHost WordPress installations
• Using wp-cli to update plugins, themes and the WordPress version

• Updating plugins
• Using wp-cli to update plugins, themes and the WordPress version

One of the quickest ways to destroy your credibility as a WordPress blog is to have tons of spam in the comment areas. The easy way to solve this is with an anti-spam plugin such as the following:

• Akismet
• Spam destroyer

View the following guide from WordPress for further information:

• Hardening WordPress plugins

• WordPress themes page
• Using wp-cli to update plugins, themes and the WordPress version

Even if a plugin or theme is inactive, it could still pose a security risk. If you're not using a theme or plugin, make sure to delete it from your web server. Plugins and themes are located in the following directory. Make sure to change username to your Shell user.

/home/username/example.com/wp-content/

Inside of that /wp-content folder, navigate into the /plugins or /themes directory and delete any that you do not use.

The same goes for extra installs of WordPress. For example, it's possible that a test site was created under example.com/wptest. Or maybe you had an old site but no longer use it. In any case, if you have another WordPress install that you're not using, delete it.

Finally, if you have any other applications such as Joomla, Drupal, or Moodle installed under your user that you're not using, make sure to remove those as well.

If you suspect any unusual behavior, it's a good idea to check your access.log and error.log files. View the following article for details:

• Error log

Make sure to also check your folder permissions:

• Unix File Permissions
• Changing file permissions

With any website, it's always important to continually back up your data. This means backing up both your website files as well as any databases. View the following article for details:

• Manually backing up website data

A more advanced option is to use a version control system such as Subversion or git. However, for the majority of users, a normal backup is enough.

You can use an .htaccess file to further protect your site. For example, the wp-config.php should never be publicly accessible. To protect this file, add the following to an .htaccess file in your site's directory where all other WordPress files are located:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

There are several other things you can do with an .htaccess file to protect your site. View the following article for details:

• What can I do with an .htaccess file?