How to harden your WordPress installation

Overview

This article details how to harden your WordPress installation. If your WordPress site has been hacked, please view the following article first:

My WordPress site was hacked

There are a few common steps you can take to harden your WordPress installation right away. The chart below lists some basic precautions:

Stuff to look out for	Details
Secure connections	Use strong passwords Use unique and separate usernames Use HTTPS by purchasing an SSL certificate Always use SFTP or SSH to connect to your server. Never FTP.
Keeping software up to date	Keep your plugins, themes, and WordPress version up to date
Removing old software	Delete unused plugins and themes Deleting any other unused apps under your user
Checking logs and files	Checking your access and error logs for unusual behavior Checking permissions on folders and files
Keep backups	Continually backup your site

This article describes some of the above in further detail.

Add a named WordPress admin user

Make sure your admin user is not named admin.

If your admin user is named ‘admin’, create a new user with some other name and give it admin privileges. After you have confirmed that this account works, log in as this account and return to the left-hand users tab and delete the account user named ‘admin’.

This is very important as ‘admin’ is the most commonly attacked username. View the following article for further information:

WordPress user roles

Use the HTTPS protocol for your site

To prevent your password from being transmitted in the clear, you must add an SSL certificate to your site. This enables you to connect using an encrypted and secure connection. View the following article for details on how to use an SSL certificate with WordPress.

How do I use an SSL certificate with WordPress?

Removing old software

Even if a plugin or theme is inactive, it could still pose a security risk. If you're not using a theme or plugin, make sure to delete it from your web server. Plugins and themes are located in the following directory. Make sure to change the username to your Shell user.

/home/username/example.com/wp-content/

Inside of that /wp-content folder, navigate into the /plugins or /themes directory and delete any that you do not use.

The same goes for extra installs of WordPress. For example, it's possible that a test site was created under example.com/wptest. Or maybe you had an old site but no longer use it. In any case, if you have another WordPress install that you're not using, delete it.

Finally, if you have any other applications such as Joomla, Drupal, or Moodle installed under your user that you're not using, make sure to remove those as well.

The bottom line is that if you're not using the software installed under your user, it's best to remove it. Only keep what you need.

Protect your site with an .htaccess file

You can use an .htaccess file to further protect your site. For example, the wp-config.php should never be publicly accessible. To protect this file, add the following to an .htaccess file in your site's directory where all other WordPress files are located:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

There are several other things you can do with an .htaccess file to protect your site. View the following article for details:

What can I do with an .htaccess file?

Overview

Add a named WordPress admin user

Use the HTTPS protocol for your site

Removing old software

Protect your site with an .htaccess file

See also

Still not finding what you're looking for?

Status Updates

ARTICLES & TUTORIALS

COMPANY ANNOUNCEMENTS