Securing and hardening Wordpress
This guide includes a number of WordPress post-installation steps to further improve the security of your site.
We are making some assumptions in this guide:
- That before installing WordPress you enabled SSL on your domain (using LetsEncrypt) and then you selected the HTTPS variant of your sites name when you performed the WordPress install.
- That you have installed WordPress using Softaculous or Installatron
- That you have the LiteSpeed caching plugin installed - it is installed as standard if you used Softaculous or Installatron.
We generally recommend that you minimise the number of plugins you install - for a number of reasons:
- The more plugins, the more WordPress has to process to actually display your site - often resulting in a slower site.
- The more plugins you use, the more likely you are to be exposed to an issue with a plugin being poorly coded and having a "soft target" that can be easily exploited resulting in your site being compromised.
- Always check that any plugins you do use are well supported and regularly updated - Good reviews are a great indicator!
That said, the following plugins provide a layer of protection for your site that is well worth having.
- Install a WordPress Application Firewall (WAF) - we suggest either WordFence (external link opens in a new window) or Sucuri (external link opens in a new window).
Both of these are well regarded and have a wealth of options built in that you can enable to enhance your site's security. They also have paid versions with additional features.
- Add Two-Factor Authentication (2FA) - this adds security to the WordPress login - so that anyone attempting to login requires either a SMS text message authentication or a code from an app on their mobile phone.
WordFence (external link opens in a new window), mentioned above has 2FA options built in. An alternative would be Google Authenticator (external link opens in a new window) - which works alongside Authy (external link opens in a new window).
Updates to .htaccess
These snippets - which you can pick and choose from - harden and protect access to your site and it's files.
.htaccess files are special, for several reasons:
- The full stop in front of their names makes them hidden - so if you're using cPanel File Manager you'll need to make sure you have view hidden files enabled.
- They can be placed in any directory (just create a new file called
.htaccessif it doesn't already exist) to perform actions on incoming requests to that directory and any sub-folders
But, be warned -
.htaccess files are super-fragile - one misplaced full stop or other character could break access to your whole site. Make sure you always take a backup of the file before making any changes, so you can revert easily if there is ever an issue.
To use these snippets simply copy and paste the code blocks for those you'd like to implement into your
.htaccess file. The
.htaccess file for your site is found in the sites docroot (usually
/public_html if you've setup WordPress in your primary domain). You can access and edit your
.htaccess file using the cPanel File Manager.
#are comments to explain what the following lines do.
# Deny access to .htaccess
Deny from all
Protect your wp-config.php file
# Block access to wp-config.php
deny from all
Block access to your includes files
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
Disable directory browsing
# Disable directory browsing
Options All -Indexes
Block XML-RPC requests
# Block any attempted XML-RPC requests
deny from all