Strengthen WP without installing a plugin
Posted on
WP Security
Has been on my mind. As v 3.7.1 WP ships with auto-updates for security and maintenance. This puts me at peace of mind for many of my clients, who unfortunately, don’t update as much as they should.
I always take a few precautions upfront that I know help strengthen the site:
- Never use the username “admin” (although creating a user with the name “admin” and role of “subscriber” is a trick I heard once and have done a few times.)
- While setting up my WP site in the config file, I always change the DB prefix. Usually an abbreviation of the site name.
- Change the salts. Yup, go to the link copy and paste the new salts into your config.
Blocking web access to the wp-includes folder. Add this to the .htaccess file, just above the WP block.
|*|-apache-|*|
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
<files wp-config.php>
order allow,deny
deny from all
</files>
Blocking web access to the wp-config file and disabling the editor option from Appearance.
|*|-php-|*|
//Disabling File Editing in WordPress Admin
define('DISALLOW_FILE_EDIT', true);