Secure your WordPress installation

This article will walk you through how to secure your WordPress installation for ongoing protection

Whether you're setting up a new WordPress site or improving an existing installation, it's important to take initiative to secure your installation against various methods a hacker can penetrate and comprise your WordPress installation.

Keep in mind, applying the below recommendations does not mean you can disregard applying ongoing WordPress core, plugin or theme updates, you should also always run the latest available PHP version. Please visit our guide for recommendations regarding the ongoing management and security of WordPress.

1. Disable XML-RPC

XML-RPC is renowned for being exploited and used as means to gain access to your site via brute force attack methods. You don't need to disable this function completely, for example JetPack plugin is reliant on the use of XML-RPC, so if this function is crucial for your site operations, you can whitelist any IP address which still require access.

To disable XML-RPC, add the below entry to the .htaccess in your sites document root, ensure to add the entry below any rewrite entries, additionally take note of the 5th line in the entry, if you have a IP address which still requires access to XML-RPC please update xxx.xxx.xxx.xxx with the nominated IP address- if not, simply remove the 5th line.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>


2. Disable user registrations

Disable user registrations within WordPress administrator, go to Settings > General >> Uncheck the option "Anyone can register".

3. Encourage strong user passwords

Although you can install various plugins to force users to use only secure passwords, it would be recommended to avoid installing additional non crucial plugins on the website, and instead ensure all WordPress users are aware of the security risk created by weak passwords and only use high strength passwords.

4. File Permissions

The recommended, secure permissions for WordPress is 644 for files and 755 for directories, you can issue the below commands which recursively update the permissions to the recommended setting. Please issue each command from your websites document root.

To update directory permissions:

find . -type d -exec chmod 755 {} ;

To update file permissions:

find . -type f -exec chmod 644 {} ;

5. Disable theme/plugins editor

Within WordPress dashboard you have the ability to edit theme and plugin files directly, if your WordPress website was ever compromised the hacker could easy take advantage of this functionality to inject malicious code into your theme or plugin files.

You can disable the editor functions by adding the below code into the wp-config.php within the home directory of your website:

define( 'DISALLOW_FILE_EDIT', true );

If you require theme or plugin editor in the future, just update the entry to state "false" in replacement of "true".

6. Disable comments

The comment function on a website is often taken advantage of to send spam/fraud content, disabling comments is recommended however if you would like to retain comments you can always allow comments to be posted after moderation.

Either disable comments or set the requirement for comments to be moderated within WordPress Dashboard >> Settings >> Discussion >> Deselect Allow people to submit comments on new posts or enable Comment must be manually approved depending on your preference.

7. Configure CAPTCHA on all web forms

Prevent website generated spam by adding a CAPTCHA to any web form on your website, you can also install what's called a Honeypot, however we would recommend CAPTCHA due to the CPU overhead created by Honeypot services.

We recommend reCAPTCHA by BestWebSoft which utilizes the Google's v2 or v3 CAPTCHA tokens.

9. Install a Site Security plugin

Employ a Site Security plugin to configure and manage your application firewall to protect your website from brute force attack, block malicious IP addresses and identify vulnerabilities in your WordPress installation. We recommend installing WordFence and optimising the WordFence firewall and security settings.

10. Install a SSL certificate and force redirect all traffic to HTTPS

Install a SSL certificate so users can browse and enter data into your website securely and then implement a force redirect to HTTPS to ensure website visitors always access the website securely over HTTPS (rather than HTTP which is insecure).