Improve the security of your WordPress site

Nowadays, WordPress represents 28% of the Internet.

This popularity has many good points like having a huge community of developers and designers to turn to if you need help. On the other hand, it makes it very tempting for malicious users to create tools (robots) that search the Internet looking for vulnerable WordPress.

Security in general is complex, WordPress is safe, but 100% security does not exist. Here are some tips to reduce the risk of hacking your WordPress.

Basic protection all WordPress sites must have

  • Take full backups of your WordPress site periodically. You must include: the database, the wp-content folder and its subfolders, and the custom root folder files (.htaccess, wp-config.php, robots.txt).
  • Install a Secure Socket Layer (SSL) certificate. Since 2017 Google penalizes pages without SSL and Let’s Encrypt can help you with it, since it is a technology supported by large Internet companies and free in most Web hosting providers.
  • Use secure passwords (robust). Or double your security using double authentication.
  • Keep your WordPress updated to the latest version. This includes core, themes, plugins, even translations.
  • Uninstall themes and plugins that you do not use. And limits the use of plugins, that is, use only those that you really need.
  • Avoid using the admin user and limit the number of failed login attempts.

WordPress Secret Keys

The Authentication Unique Keys and Salts are some lines that you can find in the file wp-config.php and that you can generate in the following URL: https://api.wordpress.org/secret-key/1.1/

define('AUTH_KEY', 'V{rFQ.b`xBVT@hN=h>K,/}];Fs3S9.p)d _f4Wr?NxQ|y4=4^VPj8u${w9.~o8(J');
define('SECURE_AUTH_KEY', '-w/RPn]MLK^kg:ey)x1yOCFD+u< Wk/Ixv;f.yIj1_l6 QXaT]qz?p nL)d|5!(=');
define('LOGGED_IN_KEY', 'VguZnn4iZFh3}xr#KoD-^JH?lsQkW-n^HW1K?Gab#d3dzsX`Cp?KrjlAU:J>wi9y');
define('NONCE_KEY', 'b(?=,UZH-AQZI*m~:7cr,#reg@!d|na&F/k:|=+cycSB)k4HH');


What these keys do is protect the active sessions, so you can, for example, force a sudden disconnection of all users simply by changing them.

Hide WordPress version

Hiding the version of WordPress you are using will make it less easy to identify your vulnerabilities in case you are not updated to the latest version. Including the following line in the functions.php file of your WordPress, you hide this information:

remove_action( 'wp_head', 'wp_generator' );

Protect the wp-config.php file

Much of the sensitive information, such as connection data for the database, is stored in wp-config.php. So you should avoid unwanted access to it, something easy to limit by adding the following lines to the .htaccess file:

<files wp-config.php> 
orderallow, deny
deny from all
</files>

Protect the .htaccess file

Another equally important configuration file that, as it contains security and project relevant information. The most notable thing is that it can self-protect itself by adding a few lines of code to itself:

<files .htaccess> 
orderallow, deny
deny from all
</files>

Secure access to the administration

Force to use secure access to WordPress through SSL, simply adding these lines to your file wp-config.php:

define( 'FORCE_SSL_LOGIN', true );
define( 'FORCE_SSL_ADMIN', true );


Once the changes are saved, the WordPress admin pages will use the secure https protocol.

Disable file editor

In case of vulnerability in the system of user permissions, the editor of plugins and themes included in WordPress can be a threat. It can be deactivated by adding this line to the wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

Avoid all spam comments

Although there are many plugins that perform this functionality, with a few lines in our .htaccess file we can avoid leaving comments from automated programs while allowing comments from normal visitors:

<IfModule mod_rewrite.c> 
RewriteEngineOn
RewriteCond%{REQUEST_METHOD} POST
RewriteCond%{REQUEST_URI} .wp-comments-post.php*
RewriteCond%{HTTP_REFERER} !.*tublog.com* [OR]
RewriteCond%{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

Protection against SQL injections

SQL injections in the database are currently the most common method of attacking webs. You can protect your WordPress from this method by adding a few lines in the .htaccess file:


Options +FollowSymLinks
RewriteEngineOn
RewriteCond%{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond%{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond%{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Is my website now a secure site?

Let’s say it’s safer now than at the start of your installation. That does not mean that we can not continue to reinforce it. With these tips, we help to block those who want to attack our website.

Leave me your messages, and if you liked it, do not hesitate to share it.