Hardening WordPress

Secure an existing #wordPress site easy steps / makes you sleep better

most of the time when it comes to hardening an existing #wordPress installation or site, we are all used to listen to the same old tunes.

  • run update to the latest version
  • remove unused PlugIns
  • run update on used PlugIns
  • check twice if you need the PlugIn for real (else get rid of it)
  • disable PlugIns that run out of updates or look forward to replace them
  • minimize user permissions (not all yout users need to get admin privileges)
  • sort out users (users that no longer need access have to be removed)
  • use 2FA (google authenticator does the trick pretty well)
  • protect your login page
  • limit login attempts

But here are commin the new tunes …..

Disable PHP error display:
a simple edit of the site’s wp-config.php file with this code should do the trick

define ( 'WP_DEBUG' , false); 

Disable PHP execution in untrusted folders:
this is a pretty new one for me, that you can guard against it with a simple access control file.
just a little code is needed in .htaccess
We have to test this well, because I think, you can pretty fast overusing this restrictions, and most of WordPress involves PHP execution.

<FilesMatch "\.(php|php\.)$">
Order Allow,Deny
Deny from all