Design & Development

Strengthen WP without installing a plugin

Posted on

WP Security

Has been on my mind. As v 3.7.1 WP ships with auto-updates for security and maintenance. This puts me at peace of mind for many of my clients, who unfortunately, don’t update as much as they should.

I always take a few precautions upfront that I know help strengthen the site:

  • Never use the username “admin” (although creating a user with the name “admin” and role of “subscriber” is a trick I heard once and have done a few times.)
  • While setting up my WP site in the config file, I always change the DB prefix. Usually an abbreviation of the site name.
  • Change the salts. Yup, go to the link copy and paste the new salts into your config.

Blocking web access to the wp-includes folder. Add this to the .htaccess file, just above the WP block.

|*|-apache-|*|
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

<files wp-config.php>
order allow,deny
deny from all
</files>

Blocking web access to the wp-config file and disabling the editor option from Appearance.

|*|-php-|*|
//Disabling File Editing in WordPress Admin
define('DISALLOW_FILE_EDIT', true);
Published under: WordPress
Tags: , , ,
Previous

Foundation: A look at different ways to use this framework – part 1

Next Design and Development Love

Alter elements in the DOM based on scrollTop position

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.