Hacking the WordPress Core can make it very difficult to upgrade to the latest version of WordPress. Keeping WordPress current is an important step in overall web site security. If any security vulnerability is discovered a patch is typically released very quickly.
Suppose you’ve made the decision to start a photography blog, and you’ve decided that WordPress is the right tool for you. Before you go any further, you must need to take some time to evaluate your security goals so you can set your blog up for success from the start.
The most important file in any WordPress installation is the wp-config.php file. This files stores all database connection settings, including the database name, username, and password to access your database. This file also stores additional database, security, and other advanced settings.
You may also decide to change some basic configuration options, such as the database prefix name or some security keys located in wp-config.php file that are used to provide stronger security for browser cookies.
The wp-config.php file is typically stored in the root directory of WordPress. Alternatively, you can move the wp-config file outside of WordPress one directory. So if your WordPress directory is located here:
Options in WordPress are stored as constants and these can be seen in the wp-config.php file. The constraints all have the same format:
WordPress security can be strengthened by setting secret keys in your wp-config.php file. A secret key is a hashing salt, which makes your site harder to hack by adding random elements (the salt) to the password you set. These keys aren’t required for WordPress to function, but they add an extra layer of security on your web site.
To have secret keys auto-generated for you, visit the link to WordPress.org for secret key generation in your wp-config.php file.
Protect WordPress Admin Directory with HTTP Authentication
The very first step is to create a .htpasswd file in your server which contains your username and password. Htpasswd files are used when password protecting a website or a directory using HTTP Authentication and Apache’s htaccess files.
This file generally contains the username in plain text and the password in hashed(encrypted) format and is separated by a colon (:).
With the help of htaccesstools.com you can easily generate a .htpasswd file which contains your sensitive username and password of your choice.
As soon as you press “Create .htpasswd file” button, it will show some code, simply copy the below code and paste in .htpasswd file. All you need is a good text editor such as Notepad++ or Sublime.
Now fireup Filezilla or any other FTP Client and log into your server. Create any folder outside of your home directory i.e. (public_html) and upload your generated .htpasswd file as shown below.
In below screenshot, you can see that, we’ve created a folder named as “secret” and uploaded .htpasswd file which we generated from first step.
Now next and final step is to edit your .htaccess file and paste the following code in the end of the file.
# To prevent loops
ErrorDocument 401 default
# Protect wp-login
AuthName “Private access”
Allow from all
Here, in above code, you need to change one thing: Change the location of your .htpasswd file which is in our case it is /home/username/secret/.htpasswd.
With the help of below code, you can also find out your full server path address:
<?php echo $_SERVER[“SCRIPT_FILENAME”]; ?>
Using .htaccess allows you to restrict access to your web site by IP address, essentially locking it down from anonymous visitors.
Now save your .htaccess file but don’t forget to take a backup first of your .htaccess file before doing any changes. Now access your wp-login.php or wp-admin page.
Be sure to test it to ensure that it’s working and that you can access the login area after entering your username and password.
And here is the list of top 3 plugins which you can use for security of your WordPress website and do update your plugins/themes/version on regular basis to protect your site further.
- All In One WP Security
- IThemes Security
- Wordfence Security
At Server level security, you should take a look at your php.ini file and disable all the below extensions if you are not using. PHP has prospered by having so much built-in functionality that it lowers the barriers of entry and empowers developers to just get the task done. This has been the boon and the bane for PHP.
Also take this opportunity to secure your PHP execution container and help it run faster. Here are some simple settings. There probably are more depending on your setup, which you can likely turn off to improve security and performance:
;Hide PHP for security
expose_php = Off
;Turn off for performance
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off