Tags
Archives
Wordpress securing your website
Posted on May 17, 2020 by Trevor Smith
First thing to do is install the following backup plugin, "UpdraftPlus" and create a backup of your site.
Then:
- Update all plugins
- Remove unused plugins
- Remove unused themes (leave the active one + one other)
- Update Wordpress
Check the functionality of your site and then do another backup.
Disallow file editing
You can easily do this by adding the following code in your wp-config.php file.
/** Disallow file edit*/
define( 'DISALLOW_FILE_EDIT', true );
Disable PHP File Execution in Certain WordPress Directories
You can do this by opening a text editor like Notepad and paste this code:
Files *.php>
deny from all
</Files>
Next, you need to save this file as .htaccess
Next, you need to upload this file to /wp-includes/ and /wp-content/uploads/ folders
Edits to the root .htaccess file
Paste the following after the Wordpress section
# BEGIN security edits by BeanBox Web
# Deny access to .htaccess
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
# Protect the config file
<Files wp-config.php>
order allow,deny
deny from all
allow from 100.200.300.400
</Files>
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 100.200.300.400
</Files>
# END security edits by BeanBox Web
Add the following as the last line in the .htaccess file to disable browsing:
Options ALL -Indexes
Protect the wp-admin directory with a password
Good idea for a non membership site - you will have to enter two passwords to get to the backend (admin) of your site, but a small price to pay for the added security. I have done this in two ways, cpanel and also manually with .htaccess, both work equally as well.
Cpanel method
cpanel>Directory Privacy
Manual method
# This is the htaccess file added to wp-admin directory (change user file path and user name)
AuthName "Admins Only"
AuthUserFile /home/'your directory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user 'your_user'
You will also need to generate a password and edit the file called passwd (see path above). I use the following site and choose apache MD5
https://hostingcanada.org/htpasswd-generator/
Edit the root .htaccess file whichever method you use.
# Add this as the top line of the root .htaccess to make privacy directory work
ErrorDocument 401 default