Hello WordPress developer, today I'm going to teach you how to secure your WordPress site without the use of any plugin. As there are lots of ways to secure secure your site from being hacked by anyone so I have divided this tutorial into several parts, so I'll urge you to go through each and every part of the tutorial and take the necessary steps. So let's begin.
1. Delete index.php
First of all delete all index.php from the following location.
/path/to/your/wordpress/install/wp-content/index.php
/path/to/your/wordpress/install/wp-content/themes/index.php
/path/to/your/wordpress/install/wp-content/plugins/index.php
/path/to/your/wordpress/install/wp-content/uploads/index.php
Now you may have questions as why to delete this files as they are the important files and also helps in protecting from director listing. Most of the malicious code or software target this index file and from there they get access to the full site, because everyone know the director structure of WordPress and where this index files are present.
In WordPress many index file controls this code only
<?php
// Silence is golden.Which is of no use.
So after deleting the file just add this line into your .htaccess file which will prevent from directory listing
Options -Indexes
2. File Permissions
Now one of the most important part is to give the correct file permission to the files and folders, I have listed some the important file and folder which are need to be taken a specials care.
| # | Name | File/Folder | Recommended Permissions |
|---|---|---|---|
| 1 | Root Directory | /path/to/your/wordpress/install/ | 0755 |
| 2 | wp-includes/ | /path/to/your/wordpress/install/wp-includes | 0755 |
| 3 | .htaccess | /path/to/your/wordpress/install/.htaccess | 0644 |
| 4 | wp-admin/index.php | /path/to/your/wordpress/install/wp-admin/index.php | 0644 |
| 5 | wp-admin/js/ | /path/to/your/wordpress/install/wp-admin/js/ | 0755 |
| 6 | wp-content/themes/ | /path/to/your/wordpress/install/wp-content/themes | 0755 |
| 7 | wp-content/plugins/ | /path/to/your/wordpress/install/wp-content/plugins | 0755 |
| 8 | wp-admin/ | /path/to/your/wordpress/install/wp-admin | 0755 |
| 9 | wp-content/ | /path/to/your/wordpress/install/wp-content | 0755 |
| 10 | wp-config.php | /path/to/your/wordpress/install/wp-config.php | 0644 |
You can also write the following code into your .htaccess file
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
3. Disable PHP File Editing via the dashboard
In many occasions the client by mistakenly edit the theme file and saves it, but if the code is not correct then the site does not opens. Moreover if the hacker get access to the admin panel then they add the malicious code on this files and saves it, so as the things are not altered so we can get any clue that the files has been edited. So it is the best practice to disable it. So to do that just add the following code into the function.php file of your active theme.
//disable file editing from admin dashboard
define('DISALLOW_FILE_EDIT', true);
4. Securing wp-config.php
wp-config.php is one of the most important file it host the database and and site configuration so it need to be secure and disallowed to be used by browser. So to do that just add the following code into your root .htaccess file
<files wp-config.php>
order allow,deny
deny from all
<files>
5. Don't use the "admin" username
In 12% occasion it has been found that the WordPress site has been hacked became of the common username for the Super Administrator role which is admin. So it is highly recommend after development and before site is been lived you should change the username and give some strong and unpredictable username.
6. Strengthen up the password
The above statistics is also valid for the this point as well, because as developer work at a multiple projects at the same time so it become difficult for them to remember the password for each project so they gives the common password, or same username and password. As WordPress have introduce and strong auto generator password from Version 4.3. So you should take this advantage and give a strong password for the admin.
7. Update all the things
You must always update the WordPress library as soon as they arrive never ignore any updates, because in every update WordPress fix security issues and changes some of the function work flow so it becomes difficult for the hacker or malicious code to effect your site. The same goes with wp themes and wp plugin, so you should also update them whenever there is a update.
What are some things you do to secure your WordPress sites? Did I miss any of them and you think it is detail here that you think is vital? Feel free to sound off in the comments below. In a mean while I'll come back with the second edition of this.
I’ve changed the prefix on new WP install for a while now as it is a quick change but I never bothered doing it on existing sites until I started using Defender recently. While it’s not all that important, every little bit helps.
Hi there, Thank you so much for this helpful article.
Cheers,
Jersey
I’ll surely cross check my WP site security, and will be waiting for upcoming editions.
You all have, Creative blog designers.
good!