Here is a to do list to secure your WordPress site !
WordPress is already -relatively- secure but being the most used CMS ... it is also the one hackers are going to target in prority! So it is necessary to add extra elements of security.
The first thing to do is archiving backups (on another server than the one used for the web site) to make sure to be able to recover data in case of a serious incident. Most web hosters will backup your web site (files and databases) regularly (generally at least daily), alternatively you may add a backup plugin.
You must perform tasks that you would do for any system:
- update elements: WordPress, plugins and the theme used (don't forget to use a child theme)
- choose complex passwords: at least 8 caracters and mix up digits and uppercase/lowercase letters.
- do not use an
adminbut create another one !
- Delete the version number (that hackers could use to find hacks ... in case security updates were not perfomed), by adding to the
- In the same line of thought, we delete the
readme.htmlfile (in the website root) that includes WordPress version number.
WATCH OUT: this must be done again after each WordPress update.
- Deny access to directories and to the files
.htaccess, by adding the following lines to
(It's possible to do more by following WP Marmite instructions - in French)
deny from all
deny from all
Options All -Indexes
- Rename connection pages (
wp-login) by using the plugin Move Login (which is included in the plugin SecuPress ... see last chapter) or WPS Hide Login.
- Limit connection attempts by brute force by limiting the connection errors with the plugin Limit Login Attemps Reloaded (SecuPress inclus cette fonction également).
- Block bad http queries by installing the plugin Block Bad Queries.
- Rename MySql tables by following Informatique DIY instructions (with easy renaming in phpMyAdmin) and also instructions from WP Channel.
- You may also install one of the following security plugins: Acunetix WP Security, Bulletproof security, iThemes security, Wordfence security or Sucuri security.
To test web site security, on may:
- test site with WordPress Security Scan.
- install WP Scan, to run test from your computer.
- install SecuPress plugin that will perform a security analysis and that will also add extra functions to secure the web site: probably the best security tool for WordPress !
Move to HTTPS
From a security stand point, it is not necessary to move your web site to HTTPS. It is mandatory only if you use confidential information (passwords, credit card etc): HTTPS will crypt the data typed in (as well as every thing else) thans to SSL ... so a hacker who will "listen" the network to get your informations will only see encrypted data.
Read in another the operations to perform to move a site HTTP to HTTPS.
Happy securisation of your web site ! ! !