8 Tips to improve the WordPress Security

I will share with you some tips for increasing WordPress security. There is a tendency to underestimate the safety and this can result in serious consequences such as the intrusion of a malicious (malware, spam, deface) and the subsequent disappearance of our site in the search results of Google.

Here are 8 tips to improve the WordPress Security:wordpress-security

1. . htaccess – Enhanced WordPress Security with proper configuration

The configuration file. htaccess as well as imposare cache, gzip and mod_rewrite (to name the most famous) is designed to increase the security level of your site with WordPress:

We can add the following lines to the file. Htaccess, after making a backup copy of the file:

This first piece of code is used to block access to. Htaccess file, so it will be accessible only by the server.

# I protect htaccess file   <Files .htaccess>   Order Allow, Deny   Deny from all   </ Files>

To protect your wp-config.php file must not be accessible.

# I protect wpconfig.php   <Files wp-config.php>   Order Allow, Deny   Deny from all   </ Files>

To prevent direct access to the site folders (method much faster than manually enter empty index.html file in any folder)

# Disable navigation folders   Options All-Indexes

 2. Create custom of secret keys

The secret keys used to encrypt the WordPress data in cookies, going to edit the wp-config.php file you can replace this page to post your own.

– Edit the file wp-config.php , line 53 you will find the beginning of the next block:

define ( 'AUTH_KEY''fU `# S9v) $ | u {~ L ~ o] 7j? 2xq2l3 Z @% [ RNG. ;))> ^ KrVTw6 8Ca1mn33uDy% GL; RZv1 # S 'define ( 'SECURE_AUTH_SALT''Wf orb} | o ~ _ # hRHq

– Replace the above code with the code you can get from this online generator  for each refresh it creates new ones.

3. Change the prefix to the database tables

The wp_ prefix in front of the database tables most of the time it is left to the default values, it makes your web site easily accessible by an attacker, especially when using SQL Injection techniques. During installation it is important to specify a custom suffix, if your site is already online here two key steps to make the change the suffix:

You are about to make changes to the database of your site, always run a backup before making changes

– Edit the file wp-config.php look for the  $ table_prefix = ‘wp_’, and replaced with a prefix to your liking (you can use upper / lowercase, numbers and underscores)

– Using phpMyAdmin , you just need to modify the database tables, replacing the old with the new prefix you can do it table by table or use this SQL query that will simplify the day (check after running all the tables have been renamed correctly):

RENAME TO `` table `wp_commentmeta wp_nicolabavaro_commentmeta`; RENAME table `wp_comments` TO `wp_nicolabavaro_comments`; RENAME TO `` table `wp_links wp_nicolabavaro_links`; RENAME table `wp_options` TO `wp_nicolabavaro_options`; RENAME table `wp_postmeta` TO `wp_nicolabavaro_postmeta`; RENAME table `wp_posts` TO `wp_nicolabavaro_posts`; RENAME table `wp_terms` TO `wp_nicolabavaro_terms`; RENAME table `wp_term_relationships` TO `wp_nicolabavaro_term_relationships`; RENAME table `wp_term_taxonomy` TO `wp_nicolabavaro_term_taxonomy`; RENAME TO `` table `wp_usermeta wp_nicolabavaro_usermeta`; RENAME table `wp_users` TO `wp_nicolabavaro_users`;

The syntax is as follows:

RENAME table 'nome_vecchia_tabella' to 'nome_nuova_tabella' 

4. Block Bots and user_agent. Htaccess

Very often those who want to take control of your site using bots, programs that plumb the Internet for sites with certain exploitable security holes. What is seen to illustrate a preventive maneuver through a new change to the file . htaccess can block bots and thus prevent our site proves to attack.

Edit the. Htaccess file and insert the following code:

# Block Bots and UserAgent false  <IfModule mod_setenvif.c>      SetEnvIfNoCase User-Agent ^ $ keep_out      SetEnvIfNoCase User-Agent (pycurl | casper | cmsworldmap | devil | DotBot) keep_out      SetEnvIfNoCase User-Agent (Flicky | ia_archiver | jakarta | kmccrew) keep_out      SetEnvIfNoCase User-Agent (purebot | comfortable | feedfinder | Planetwork) keep_out      <Limit GET POST PUT>        Order Allow, Deny        Allow from all        Deny from env = keep_out      </ Limit>    </ IfModule> 

5. Customize the name of the administrator (default: admin)

When you install WordPress you are prompted for the name of the administrator, it is recommended to change the name in order to make more difficult any attempt to login using brute-force. If your site is already online Do not bother I have a solution for that too:

  1. SQL database backup (always when you go to touch the database)
  2. Access to PhpMyAdmin
  3. In Section I run the following SQL query:
UPDATE wp_users September user_login = 'Specify here the new name' WHERE user_login = 'admin';

6. Wp-admin access restricted to a prescribed IP

Unfortunately this is only usable in the business (often companies have a Static IP) and usually in the private sector is widespread dynamic IP. If you have access to a static IP connection ( here is a tool to find out your IP address ) will only need to create a. htaccess file to be included in the / Wp-admin:

# Restingo access to a single IP Static   order deny, allow   allow from XXX.XXX.XXX.XXX  # Enter your Static IP   deny from all

7. We use the HTTPS protocol to administer the site:

If your hosting has an SSL certificate you have the ability to access WP-admin via Https :/ / this means that the connection between you and the server that hosts your site will be encrypted and therefore secure.

To access the administrative interface of WordPress  via Https just change the URL you use to access all’interfaccio administration from “http://tuo_sito/wp-admin” to “https://tuo_sito/wp-admin” if you’re lazy you can force through a change to the filewp-config.php

Edit the file wp-config.php  by adding the following entry:

define ('FORCE_SSL_ADMIN', true);

8. Remove the “Meta Tag Generator”

This meta tag displays the version of WordPress, so it may indicate which holes you can use to crack your WordPress site. To remove the meta tag simply enter in the functions.php file, found in the theme folder (create it if not found), the following lines before closing? “>”:

remove_action ( 'wp_head''wp_generator' );

In my opinion the most effective improvements occur with the change. htaccess file then recommend doing the modifications set out in points 1 and 4.

I invite you to comment and share your experiences so as to face on a very important topic for our site to WordPress.

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge