Securing and hardening Wordpress

This guide includes a number of WordPress post-installation steps to further improve the security of your site.

We are making some assumptions in this guide:

  • that before installing WordPress you enabled SSL on your domain (using LetsEncrypt) and then you selected the https: variant of your sites name when you performed the WordPress install.
  • that you installed WordPress using Softaculous or Installatron
  • that you have the LiteSpeed caching plug-in installed - it is installed as standard if you used Softaculous or Installatron.

Suggested Plug-Ins

We generally recommend that you minimise the number of plug-ins you install - for a number of reason.

  • the more plug-ins, the more WordPress has to process to actually display your site - often resulting in a slower site.
  • the more plug-ins you use, the more likely you are to be exposed to an issue with a plug-in being badly coded or have an issue that may result in your site being hacked
  • Always check that any plug-ins you do use are well supported and regularly updated and have plenty of good reviews

That said, the following plug-ins provide a layer of protection for your site that is well worth having.

  1. Install a WordPress Application Firewall (WAF) - we suggest either WordFence (external link opens in a new window) or Sucuri (external link opens in a new window).
    Both of these are well regarded and have a wealth of options built in that you can enable to enhance your site's security.
  2. Add Two-Factor Authentication (2FA) - this adds security to the WordPress login - so that anyone attempting to login requires either a SMS text message authentication or a code from an app on their mobile phone.
    WordFence (external link opens in a new window), mentioned above has 2FA options built in. An alternative would be Google Authenticator (external link opens in a new window) - which works alongside Authy (external link opens in a new window).

Updates to .htaccess

These snippets - which you can pick and choose from - harden and protect access to your site and it's files.

.htaccess files are special, for several reasons:

  • The full stop in front of their names makes them hidden - so if you're using cPanel File Manager you'll need to make sure you have view hidden files enabled.
  • They can be placed in any directory (just create a new file called .htaccess if it doesn't already exist) to perform actions on incoming requests to that and any sub-folders

But, be warned - .htaccess files are super-fragile - one misplaced full stop or other character could break access to your whole site. Make sure you always take a backup of the file before making any changes, so you can revert easily if there is ever and issue.

Protect your .htaccess file

# Deny access to .htaccess Order allow,deny Deny from all

Protect your wp-config.php file

# Block access to wp-config.php order allow,deny deny from all

Block access to your includes files

# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]

Disable directory browsing

# Disable directory browsing Options All -Indexes

Block XML-RPC requests

# Block any attempted XML-RPC requests order deny,allow deny from all

How did we do?

Powered by HelpDocs
© Krystal Hosting Ltd 2003–2019