: What's the best way to secure wordpress site? What steps have you taken? Would love to get some useful insight.

@Hamaas447

WordPress makes a very nice getting started guide over at the WordPress Codex

I'll highlight a few I use on all of my sites:


File permissions

For Directories

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;

For Files

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;
Move wp-config.php up 1 directory than the default, chmod 400 wp-config.php


<files wp-config.php>
order allow,deny
deny from all
</files>



Securing wp-includes
#Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

disable file editing in builtin editor define('DISALLOW_FILE_EDIT', true); add that to your wp-config.php
install plugin like Wordfence to help out with security
turn automatic updates on
check and double check file permissions
if running centos enable selinux and set correct permissions on files and directories
read the Codex for a full list of recommended settings

Vote Up Vote Down