At this article:
Toggle checkboxes to trace tweaks are already done at your WordPress website and get the result score at the end of the article.
Find a complex name fop WordPress administrator user. If WordPress website is already installed, you can easily change the default "admin" username. For that make the next SQL request in phpMyAdmin:
UPDATE wp_users SET user_login = 'your-new-login' WHERE user_login = 'admin';
If WordPress website has been already installed, replace the existing "wp_" prefix using phpMyAdmin and change value of the table prefix in the file 'wp-config.php':
$table_prefix = 'wp_hb13x_';
Your password has to match the next ALL minimum criteria:
At least 8 characters – the more characters, the better.
A mixture of both uppercase and lowercase letters.
A mixture of letters and numbers.
Inclusion of at least one special character, e.g., ! @ # ? ]
Note: do not use < or > in your password, as both can cause problems in Web browsers.
SSL encrypts sensitive information, provides trust and authentication. Use at least a free Let's Encrypt SSL Certificate.
Next files contain sensitive info (like WordPress version, etc.) and have to be removed from the WordPress root:
/readme.html
/license.txt
/wp-config-sample.php
Install plugin WPS Limit Login to limit the rate of login attempts for each IP address.
Install plugin Login No Captcha reCAPTCHA to the login, registration, and forgot password forms, thwarting automated hacking attempts.
Install plugin WPS Hide Login to change the URL of the login form page. Only you will know the correct URL how to login your website.
Install plugin Sucuri Security – Auditing, Malware Scanner and Security Hardening. The plugin is free for use and provides the website owner the best Activity Auditing, SiteCheck Remote Malware Scanning, Effective Security Hardening and Post-Hack features.
Deactivate and remove/delete all unused themes and plugins right after WordPress installation and setup.
Add the code below in the function.php of your active theme. This prevents showing what exactly was wrong in case of incorrect login: password or username.
add_filter('login_errors',create_function('$a', "return null;"));
Add the code below in the function.php of your active theme. This prevents showing WordPress version in META tag. Hackers should not know the WordPress version if for some reason your blog wasn't up to date.
remove_action('wp_head', 'wp_generator');
Add the next code below in the wp-config.php
error_reporting(0);
@ini_set( 'display_errors', 0);
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', false );
define( 'WP_DEBUG_DISPLAY', false );
define( 'SCRIPT_DEBUG', false );
define( 'FORCE_SSL_ADMIN', true );
define( 'DISALLOW_FILE_EDIT', true );
Important: These lines need to be added before the line:
/* That's all, stop editing! Happy blogging. */
Filtering user-agents:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
deny from env=stayout
Block access to wp-config.php:
<files wp-config.php>
order allow,deny
deny from all
</files>
Block WordPress xmlrpc.php requests:
<files xmlrpc.php>
order allow,deny
deny from all
</files>
Block XSS injections:
Options +FollowSymLinks -Indexes
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{query_string} concat.*\( [NC,OR]
RewriteCond %{query_string} union.*select.*\( [NC,OR]
RewriteCond %{query_string} union.*all.*select [NC]
RewriteRule ^(.*)$ index.php [F,L]
Redirect to HTTPS:
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Check all security items above that applicable for your Wordpress-powered website and see your score:
Test Results: