Today most of the Websites use WordPress CMS (Content Management System) to run their website. We need to put extra care for WordPress security of our websites. In this post I will explain to you how to improve WordPress security of your website. If you want to read WordPress security Part 1.
WordPress allows various files are writable by the web server. This feature is dangerous for if you using shared hosting environment.
You can lock down this feature by using the hosting control panel. Whenever you need writing access you can allow using control panel.
I am listed below file writing permission scheme
This is WordPress site root directory. All of your files are writable only by site user account and writable using .htaccess file.
This Wp-admin area all files should writable by user of the site.
This area also writable only by site user account.
This folder is writable only by user account and server.
This is a theme folder. If you use build in theme editor writable access given to web server. If you install themes using upload method the writable permission is given to user account.
All plugin files are only writable by user account.
Protect your database following some good methods. That methods are used for try to avoid using same database for multiple blogs. Whenever someone enters into your one database make sure not enter into other database blogs on your server.
And also not allow normal registered users to install plugins, themes and make changes on your site structure. Only allow MySQL data read and data writable privileged user to do that jobs.
The WP-includes folder is important area on your WordPress site. You can place this code on your .htaccess file and place the outside of #Begin WordPress and #End WordPress.
# Block the include-only files.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
# BEGIN WordPress
Move your wp-config.php file to outside of root folder. You can place the below code on .htaccess file to deny if someone try to access it. The code is
deny from all
Disable File Editing
Anyone have a WordPress administrative control can easily access theme and plugin file edit option on dashboard. If any hacker able to login to our website dashboard sure they will edit the code using this code edit tool. The WordPress have a constant if you put this code on your WP.Config.php you will disable the edit option on your dashboard for all of your login users. The code is single line code I added below
Make sure Install the latest updated plugin for your website. And also install security plugins on your website. There are number of plugins available iTheme security, ALL in one WP security this plugins alter .htaccess files and some restricting Apache level access. This will improve the security of your website to the next level.
WordPress security is most important for your online presence. Most of the websites use WordPress tool to start their online journey.
Follow the security guide lines and apply above tips to your website this will automatically improve the website security.
If you have any doubt about WordPress security please ask your queries below using the comment section below. If will help you at any time.