OSIFY

What to do to secure your wordpress on production

Security is most concerning for all kinds of software or applications.

WordPress is a free opensource blogging and CMS-like system, as it is an opensource product so source code is opening that’s easy for hackers to read to understand the way of the open source does.

But it doesn’t mean that it’s easy to hack.

Here are some tips to help giving more security to your WordPress installation:

1. Keep your WordPress / Plugins up to date

At least, every 2 or 3 months check if there are any upgrade available for WordPress Core.
And always update your plugins that you are using when they are available.

2. Super Admin User & Other User login Management

WordPress comes with the default “admin” user that hacker may firstly use this user to guest our login.

=> If you already create it, update it from your MySQL Admin:

update tableprefix_users set user_login=’newuser’ where user_login=’admin’;

3. Your wp-config.php

You can move the wp-config.php file to the directory above your WordPress install.

Note that if you are on a shared-server the permissions of your wp-config.php should be 750.
It means that no other user will be able to read your database username and password.

chmod 750 wp-config.php

<files wp-config.php>
order allow,deny
deny from all
</files>

4. Database

table_prefix is “wp_,” the default. So better to change to something else.

5. Secure your wp-admin

define('FORCE_SSL_ADMIN', true);

(Even no, read here: http://codex.wordpress.org/Administration_Over_SSL)

6. Keep spam comments out

7. Backup

8. More tips

Be careful on this part, some FTP clients can be infected by virus and during your uploading or accessing to FTP. See same issues, I used to meet and help others in the past:

You can simply add this snip code in your theme function file:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

Or use a plugin: Replace WP-Version, Secure WordPress, or WP-Secure Remove WordPress Version

You can try with a plugin called: WP Security Scan