Strengthen WP without installing a plugin
Has been on my mind. As v 3.7.1 WP ships with auto-updates for security and maintenance. This puts me at peace of mind for many of my clients, who unfortunately, don’t update as much as they should.
I always take a few precautions upfront that I know help strengthen the site:
- Never use the username “admin” (although creating a user with the name “admin” and role of “subscriber” is a trick I heard once and have done a few times.)
- While setting up my WP site in the config file, I always change the DB prefix. Usually an abbreviation of the site name.
- Change the salts. Yup, go to the link copy and paste the new salts into your config.
Blocking web access to the wp-includes folder. Add this to the .htaccess file, just above the WP block.
|*|-apache-|*| # Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> <files wp-config.php> order allow,deny deny from all </files>
Blocking web access to the wp-config file and disabling the editor option from Appearance.
|*|-php-|*| //Disabling File Editing in WordPress Admin define('DISALLOW_FILE_EDIT', true);