Once, after the publication of my article about the IThemes Security plugin, to my statement that setting it properly you could rest assured, a user replied that in this field you can never rest assured. Experience then showed me how true this comment was. Even if you install a plugin dedicated to WordPress security, it is always good to monitor the site, update the core and plugins and implement other small actions that raise the level of security.
THE FIRST LEVEL OF SECURITY IS SET AT THE BEGINNING
The first measures for the security of our site created with wordpress are put in place during the installation phase. Choose a username for the administrator other than the standard one (admin), set a strong password that is long enough, inserting uppercase, lowercase, numbers and special characters, choosing something different from the usual wp_ as a prefix of the database tables (for example xy_12) and inserting encryption keys in the wp-config.php file that we can copy and paste from this link.
If we didn't do all of this in the beginning, we'll explain how to do it with a production site later on.
DELETE USER ADMIN
WordPress by default assigns the admin user the username “admin”. It is a good idea to change this user with a name of our choice. Leaving the administrator user with the user "admin" means giving another small advantage to hackers and automated systems used to bring brute-force attacks to the site. To change the user admin you do not need to enter a code. Just act in the users section of the WordPress dashboard.
USE A STRONG PASSWORD
Each time we increase the level of complexity of the password, the time it takes to break it increases. We use passwords that are long enough, entering uppercase and lowercase letters, numbers and special characters.
CHANGE THE PREFIX OF THE TABLES
WordPress needs a MySql database to work. The database tables are created automatically with the WordPress installation and have the prefix wp_. Wanting to change this prefix for security reasons is a wise choice. But how do you change the prefix of WordPress MySql tables? First let's do a database backup. Then we open the config.php file and correct the table prefix:
$ table_prefix = 'wp_ ”in $ table_prefix =' xy_12 '(instead of xy_12 you can put a prefix of your choice)
Then we go to phpmyadmin and follow this simple guide . The game is done.
INSERT THE CODE KEYS
At this point we take the wp-config.php file and open it. Using the link mentioned in the paragraph "the first security level is set at the beginning", copy the encryption keys and paste them overwriting the default ones of the file (which at the beginning are empty as you see below)
define ('AUTH_KEY', 'here the key');
define ('SECURE_AUTH_KEY', 'here the key');
define ('LOGGED_IN_KEY', 'here the key');
define ('NONCE_KEY', 'here the key');
define ('AUTH_SALT', 'here the key');
define ('SECURE_AUTH_SALT', 'here the key');
define ('LOGGED_IN_SALT', 'here the key');
define ('NONCE_SALT', 'here the key');
DISABLE THE EDITOR FROM THE BOARD
If a hacker manages to enter your bulletin board, he will find the possibility to intervene on the code of your main files. It can be remedied by inhibiting the display of these files from the bulletin board, by inserting the following code on your wp-config.php:
define ('DISALLOW_FILE_EDIT', true);
Do not worry. If you later want to get hold of the hidden wordpress files, you can use your ftp client to download and edit them.
HIDE THE WORDPRESS VERSION
A hacker can save time and implement specific actions for a certain version of wordpress if he knows the type. The version of WP can be seen by viewing the source code of the site with any browser. To hide the WordPress version used, write the following string in the header.php file:
<? php remove_action ('wp_head', 'wp_generator'); ?>
DELETE THE DISPLAY OF ERRORS
When there is a problem with a theme or plugin, error messages appear on our site. These messages are used to understand where the problem lies in order to solve it. But the bad guys could use it to get entry points to the site, as they contain the path to the server. Therefore it is a good idea to disable the display of error messages. To do this, add the following code to the wp-config.php file:
error_reporting (0);
@ini_set ('display_errors', 0);
CHANGE THE LOGIN URL
Even the stones know that to access a wordpress site you start from the login page through the url miostio.xx / wp-admin. To eliminate this facility we could change the last part of the url / wp-admin with a word of our choice and make it for example mysite.xx / myword. To do this you need to operate on 3 different files in the following way:
On wp-config.php enter:
DEFINE ('WP_ADMIN_DIR', 'my word');
DEFINE ('ADMIN_COOKIE_PATH', 'SITECOOKIEPATH.WP_ADMIN_DIR);
Then edit the theme function.php by adding these lines:
add_filter ('site_url', 'wpadmin_filter', 10,3);
function wpadmin_filter ($ url, $ path, $ orig_scheme) {
$ old = array (“/ (wp-admin) /”);
$ admin_dir = WP_ADMIN_DIR;
$ new = array ($ admin_dir);
return preg_replace ($ old, $ new, $ url, 1);
}
And finally write to the .htaccess file
RewriteRule ^ myword /(.*) wp-admin / $ 1?% {QUERY_STRING} [L]
HIDE THE WP-CONFIG FILE
The wp-config file is perhaps the most important file in all of WordPress. It contains the address of the db and the access credentials to it. In short, if an attacker became aware of the contents of this file it would cause a disaster. Fortunately, we can hide it by inserting a few simple instructions inside the .htaccess file. Outside the space between # BEGIN WordPress and # END WordPress we insert
<Files wp – config.php>
Order Allow, Deny
Deny from all
</Files>
PUT THE WP-CONFIG AND .HTACCESS FILES IN READ ONLY
As mentioned, the most important WordPress files are the wp-config.php and the hatccess. Protecting them from changes is a necessary step in terms of safety. How to do? It can be done directly by working within filezilla. Right click on the file and click on "file permissions". Then set them to 644 which means that the files are accessible by everyone in read-only mode, except for the owner who can also act in writing.
BACKUP, BACKUP, BACKUP
You never know, even if we have put all the precautions in the world into practice our site in WordPress could still be hacked. In this case, a backup of the files and the database will be essential. Backup is also convenient if it happens that some plugins conflict with some other plugins or with wordpress itself and the site returns only a white screen. A great help for all this is the UpdraftPlus - Backup and Restore plugin. This Plugin allows you to make a backup of both data and databases, store them in a specific path of our site or in an application such as dropbox and similar. Just set it at the beginning and run the first backup. After that we could also decide whether to make backups automatically on a daily, weekly, fortnightly or monthly basis. The plugin also gives you the possibility to decide how many backups to keep. I usually keep two. When the third backup starts, the oldest is deleted. Once the backup is done, the site can be restored using the simple restore button. In addition to backup and restore, this plugin also gives the possibility to make a clone copy. The plugin is downloadable from the WordPress plugin repository and is free.
For my safety, I usually also make a copy of the files and folders locally and export the database locally via phpmyadmin.