Where to Start to Secure WordPress? Part 1

Secure WordPress is an everyday work. I’m not talking about WordPress core but the whole Website.

There is things you can do once, but sometimes check if this rules are still efficients.

The waves of attacks on WordPress Websites came sometimes, and it’s very hard or even impossible to predict.

4 easy rules to do once

Change the Database Prefix

You may already know, you shouldn’t use neither wp_ neither wordpress_ as a database prefix. But do you know why?

The explanation is relatively simple. When a SQL Injection vulnerability is exploited, the attacker needs to target your tables, for example he needs wp_users to read your informations. But what if the prefix wasn’t wp_ then he’ll got errors, only.

The security tip will be to use a long or random prefix. Remember that you won’t have to actually remember it, even if you’re a developper. Secure WordPress is also about securing your database!

Using SecuPress this fix is automatic:

Before the fix

After the fix

Avoid the Directory Listing

In most of installations it’s possible to access to the content of your folders. It might seems harmless but it’s strongly advised to not let this happen.

Let’s imagine to have some documents only accessible with a paid account, or some others containing private informations or even some PHP file with dev tests which should not be available to your visitors, also reachable by search engines? This is not appropriate for security reasons.

You have so secure WordPress thinking about the environment settings. You only need a few lines of code in a particular config file (depending of your installation) and this listing will be forbidden.

You have to add a .htaccess file (if you’re running under Apache) including this code:

<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

Using SecuPress this fix is done with only one click :

Before the fix

After the fix

Choose a Strong Password

We, humans, like simplicity, our brain doesn’t like complex things, on the contrary.

When we talk about passwords, the effort to make a complex choice is not easy to do.

But when we talk to secure WordPress, the users are also personaly in charge of this security level.

I recommand you to read this post about strong passwords, then you’ll quickly understand why your users should follow this example.

SecuPress can force your users to set a strong password to secure WordPress:

Force a strong password for your users with SecuPress

Deactivate the Plugins and Themes Tile Editor

File edition is usually done on your computer using a code editor. For CSS files or PHP files, you’ll then use a FTP software to upload these files on our Website.

But WordPress allows everyone to directly edit files from the administration screen. Talking about security, it’s very and too much dangerous. Let the possibility, even for an administrator, to edit a .php file if a huge danger and stop you to correctly secure WordPress.

This is not because someone is an administrator that he has the right to modify your files, this is absolutly two differents things!

This line of code deactivate the native file editor from WordPress, place this is your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

SecuPress checks and fixes for you this setting which depends on your wp-config.php

Before fix

After fix

With these 4 rules fixed, you’ll have succeed to secure WordPress a little more, do you know some others simple rules that requires only one step forever to share with us?

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.