WordPress Security Tips & Tricks

WordPress Security Tips & Tricks


Chetan Prajapati

December 28, 2019


  1. WORDPRESS SECURITY TIPS & TRICKS Chetan Prajapati Freelance WordPress Developer

    WordPress Core Contributor T/F/I: iamchetanp chetanprajapati.com

  3. Common Types of WordPress Vulnerabilities Outdated WordPress Files Backdoor Exploits

    Pharma Hacks Weak Passwords Malicious Redirects Vulnerabilities In The Hosting Platform Denial Of Service Attacks
  4. Better Hosting Security Features DDOS Protection Latest Server – PHP/MYSql

    Better Support Firewall Scanner
  5. Checklist to choose a Theme or Plugin Changelog Last Update

    Security Updates Reviews Support Compatibility Child Theme Ready
  6. Use Better Usernames Avoid use of common usernames like –

    admin, administrator etc Use better username to prevent from guessing Weak usernames will be a reason for brute force attack
  7. Use Strong Passwords Mix Uppercase – Lowercase Numbers Special Characters

    Generate Passwords Passphrase
  8. Harden Admin Area Rename Login URL Limit failed login attempts

    Disable XML-RPC Use Two-Factor Authentication Log Out Idle Users
  9. Harden Your .htaccess and wp-config.php Files <files wp-config.php> order allow,deny

    deny from all </files> <Files .htaccess> order allow,deny deny from all </Files> <Files wp-login.php> order deny,allow Deny from all # allow access from my IP address allow from </Files>
  10. Disable theme and plugin editing through your WordPress dashboard //

  11. Check and Change the File Permissions All directories should be

    755 or 750 All files should be 644 or 640 wp-config.php should be 600
  12. Keep Files Up to Date Update WordPress Update Theme Update

    Plugins Remove unnecessary themes or plugins Don’t miss to update security releases Don’t use nulled plugins or themes
  13. Change Your Database Prefix Avoid to use `wp_` database prefix

    Use strong database prefix You can change by Plugin or PHPMyAdmin
  14. Coding Standards Use WordPress Escape Functions Use WordPress Sanitization Functions

    Use WordPress Validation Functions
  15. Use HTTPS and SSL Let’s Encrypt Don’t use mixed content

    HTTPs force redirection
  16. Change Your WordPress Security Keys define('AUTH_KEY', 'put your unique phrase

    here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
  17. Disable Error Reporting You can disable this by adding the

    code below to your wp-config.php file: error_reporting(0); @ini_set(‘display_errors’, 0);
  18. Remove Generator Meta Tags Remove WordPress version meta tag Other

    Plugin or Theme version meta tag
  19. Use Security Headers You can add them yourself by modifying

    your theme’s functions.php file. Cross-scripting attacks header('Content-Security-Policy: default-src https:’); X-XSS-Protection and X-Content-Type-Options header('X-XSS-Protection: 1; mode=block'); header('X-Content-Type-Options: nosniff');
  20. How to Recover From a Hack Confirm The Hack and

    Change Your Password Get In Touch With Your Hosting Company Use a Backup to Restore Your Site Scan Your Site For Malware Check Your Site Users Change Your Secret Keys Hire a Professional
  21. Security Plugins which I use WordFence Shield WP Cerber Security

  22. Wrapping Up WordPress is a powerful and popular CMS that

    makes it easy for anyone to create a website. But because it’s so popular, it’s also a favourite target for hackers.
  23. Thank you!