wordpress security

How to secure wordpress and ensure security to prevent wordpress from getting hacked?

WordPress site hacked? Are you worried with wordpress site security ?

WordPress site security checklist and hardening process.

  1. Remove the Readme.html and Licence.txt from the root directory and install.php file to prevent it from information leakage.

  2. Add this code in function.php to remove wordpress version.

you can also use this simple code to do that.

  1. Check in function.php for auto create user after the theme activation. If there any function exists and remove if you found any function like add_user().

  2. Check all file folder permission if there is any 777 and make those appropriate the suitable one also do not forget to change the permission to 444 for the wp-config.php and .htaccess.

  3. Check in .htaccess for redirection if you found any verification or redirection or rewrite make sure those are for your site and if any unnecessary anything found remove those.

  4. Hide the default backend for login wp-admin to desired one like security-wordpress.

  5. Scan for core wordpress files and check if it is modified or not, you make take help of many plugins for this like wordfrence and sucuri.

  6. Check every wordpress files for encoded texts  there or not if you found any base64 encoded text then remove those.

  7. Check for hidden input in the form and pages of your theme files.

  8. Check for strong password and enforece user to use strong password.

  9. Check for admin users in the database and take care if there is more than one admin user.

  10. Keep backup of files by hash like backup buddy or all in one wp migration.

  11. Connect the site with git like bitbucket or github for code repository.

  12. Scan automatically for malware in the files using any malware scanner or antivirus.

  13. Enable WAF like bliacklist ip, exploitation check, check for blacklisted IP address, bad bot access denied, backdoor location denied, DDoS attempt recognize, fake bot access, evasion access denied, spam request block, scanning tool block and many more.

  14. Change database default prefix wp_ to any desired one.

  15. Change default wp-content directory to any desired one.

  16. Change default uploads directory to any desired one folder.

  17. Change admin user with database index 1 to another but not less than 100 index.

  18. Disable file editing option in wordpress default editor.

  19. Enable auto update of plugin and core wordpress.

  20. Disable php execution on uploads directory.

  21. Limit login attempts and enable lock down options for IP’s.

  22. Enable white list ip for your one if needed.

  23. Password protect the admin page and third party authentication for login like two factor authentication.

  24. Enable google captcha in dashboard login  for robot verification.

  25. Disable directory listing and browsing in .htaccess.

  26. Disable XML-RPC in WordPress for API request.

  27. Automatically log out Idle Users in WordPress after a certain period.

  28. Add Security Questions to WordPress Login Screen to verify user.

  29. If hacked please replace all core wordpress files and then just keep only the uploads and theme folder also remove all plugins from the plugins directory and install the previous installed plugin also check the uploads directory for malware code.

  30. keep records of files and plugins and themes installed and also the active theme when and by whom.

  31. Edit  style.css to remove the theme info and version disclosure.

  32. Spam comment block.

  33. Add captcha in contaact form 7 and also in comments option and also in any form submission to prevent sending email and auto spamming.

  34. Find all css hidden properties and check for which reason this is added.

  35. Remove meta tag and wordpress version to detect the server and wordpress information.

  36. Option for wordpress heart bit enable disable.

  37. Disable wordpress username enumeration.

  38. Disables wordpress plugin enumeration.

  39. Change default hash salt in wp-config.php.

  40. Enforced transport layer encryption for administrative tasks.

  41. Email option for all alert to admin.

  42. Install a malware scanner to checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.

  43. Real-time malware signature updates via the Threat Defense Feed.

  44. Compares your core files, themes and plugins with what is in the WordPress.org repository, checking their integrity and reporting any changes to you by plugin.

  45. Repair files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the wordpress interface.

  46. Check your content safety by scanning file contents, posts and comments for dangerous URLs and suspicious content.

  47. Check to see if your site or IP have been blacklisted for malicious activity, generating spam or other security issue.

  48. With Live Traffic, monitor visits and hack attempts not shown in other analytics packages in real time; including origin, their IP address, the time of day and time spent on your site use google analytics.

  49. Audit error log and notify user or admin.

  50. Audit Trail & User Activity Logging

  51. Import/Export of options across sites and backup the settings.