Securing and hardening Wordpress
This guide includes a number of WordPress post-installation steps to further improve the security of your site.
We are making some assumptions in this guide:
- that before installing WordPress you enabled SSL on your domain (using LetsEncrypt) and then you selected the https: variant of your sites name when you performed the WordPress install.
- that you installed WordPress using Softaculous or Installatron
- that you have the LiteSpeed caching plug-in installed - it is installed as standard if you used Softaculous or Installatron.
We generally recommend that you minimise the number of plug-ins you install - for a number of reason.
- the more plug-ins, the more WordPress has to process to actually display your site - often resulting in a slower site.
- the more plug-ins you use, the more likely you are to be exposed to an issue with a plug-in being badly coded or have an issue that may result in your site being hacked
- Always check that any plug-ins you do use are well supported and regularly updated and have plenty of good reviews
That said, the following plug-ins provide a layer of protection for your site that is well worth having.
- Install a WordPress Application Firewall (WAF) - we suggest either WordFence or Sucuri.
Both of these are well regarded and have a wealth of options built in that you can enable to enhance your site's security.
- Add Two-Factor Authentication (2FA) - this adds security to the WordPress login - so that anyone attempting to login requires either a SMS text message authentication or a code from an app on their mobile phone.
WordFence, mentioned above has 2FA options built in. An alternative would be Google Authenticator - which works alongside Authy.
Updates to .htaccess
These snippets - which you can pick and choose from - harden and protect access to your site and it's files.
.htaccess files are special, for several reasons:
- The full stop in front of their names makes them hidden - so if you're using cPanel File Manager you'll need to make sure you have view hidden files enabled.
- They can be placed in any directory (just create a new file called
.htaccessif it doesn't already exist) to perform actions on incoming requests to that and any sub-folders
But, be warned -
.htaccess files are super-fragile - one misplaced full stop or other character could break access to your whole site. Make sure you always take a backup of the file before making any changes, so you can revert easily if there is ever and issue.