Readers of my blog know that I am serious about protecting the websites of my clients. Most of the websites I create use WordPress as the content management system. WordPress provides a strong foundation for getting a website up and running. I always install the Wordfence security plugin to help secure the website. In addition to Wordfence, there are several other steps I take to further secure WordPress.
Remove editor access
Out of the box, WordPress permits logged in individuals (with the correct user role) to directly edit the core WordPress files, themes and plugins. While having access to the online editor may make quick changes possible, hackers who gain access to your website can easily access the core files and take over the website. To disable the editor, add this line to your wp_config.php file:
define( ‘DISALLOW FILE_EDIT’_, true );
Next, check the membership setting in your dashboard. Sometimes, a WordPress website permits visitors to register as a subscriber. If you don’t need to allow visitor registrations, you should disable memberships. To turn off membership registration, clear the ‘Anyone can register’ checkbox as per the image below.
If you must have memberships enabled, ensure you only permit members to have the minimum required credentials. For example, never permit new members to have the Administrator role.
Use salt keywords
Ensure that you have added the WordPress salt keywords to your wp_config.php file. WordPress uses salt keys to keep user passwords secure. WordPress does this by using the salt keys to create a secure hash (a mathematical algorithm used to map the password to a string and creates a unique piece of plaintext data that can be saved to the database). Without knowing the hash, hackers can’t break the code to discover your password. Salt keys also encrypt the cookies generated by your website.
Visit the WordPress Salt key generator to get your unique set of salt keys. To add the keys to your website, copy and paste the salt keys to your wp_config.php file. Here is a sample set of salt keys generated by the WordPress salt key generator.
Implementing these three items will help lock down your WordPress website. Although technical in nature, I believe that all WordPress websites should take steps to keep hackers at bay. As WordPress becomes more popular, taking extra steps to harden the core files becomes increasingly important.
Need help with securing your WordPress website?