How to Harden WordPress – Advanced Steps
In the previous article, we talked about the essential steps to harden WordPress. Today, we will present you with more advanced steps to further reduce the risks of attacks.
1. Block PHP execution in untrusted folders
This step includes blocking PHP files from being executed in folders that are not designed to run PHP code. This can be accomplished by adding a rule to the server’s .htaccess file that forbids PHP execution in specific directories, or by configuring the server’s PHP handler to disable PHP execution in untrusted folders. This helps to prevent malicious code from being executed and minimizes the risk of attacks.
2. Disable file editing
WordPress has a file editor that allows users to edit theme and plugin files directly from the WordPress dashboard. However, attackers can use this feature to inject malicious code into the website. To avoid this, disable the file editor by adding the following line of code to the wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
3. Change security keys
WordPress encrypts user passwords and other sensitive information with security keys. Changing these keys on a regular basis offers an extra layer of protection by making it more difficult for attackers to decrypt sensitive information. There are eight Security Keys located in your wp-config.php file just after the database credentials. They have a little section that looks like this:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
You may use the generator https://api.wordpress.org/secret-key/1.1/salt/ to help you generate a new set of unique keys and replace the existing keys in your wp-config.php file.
4. Disallow plugin installations
Allowing users to install plugins on a WordPress site can be risky since plugins might bring vulnerabilities and security problems. To prevent this, , only trusted users should be allowed to install plugins.
This can be done by adding the following line of code to the wp-config.php file:
This can be done by adding the following line of code to the wp-config.php file:
define('DISALLOW_FILE_MODS', true);
5. Secure your wp-config.php file
The wp-config.php file contains sensitive information such as database credentials, security keys, and other configuration settings. To protect this file, You can move the wp-config.php file to a directory outside of the web root. For example, if your WordPress files are in /home/username/public_html/, you can move the wp-config.php file to
Ensure that the file permissions for wp-config.php are set to read-only:
chmod 600 wp-config.php
6. Separating out databases
WordPress’s data is stored in a MySQL or MariaDB database. It is recommended to utilize a separate database for WordPress and to set up a unique user account with limited database access rights to enhance security. This minimizes the risk of attacks and limits the damage caused by a compromised WordPress installation.
7. Securing wp-admin
The wp-admin folder is the backend of a WordPress site, and it is a common target for attackers. Access to this folder should be restricted to trusted users only. Strong passwords should be required for login. Additionally, two-factor authentication and IP blocking can be used to further enhance security.
In conclusion, hardening your WordPress site is essential to ensure its security and protect it from potential attacks. By following the steps outlined in this article, you can significantly improve the security of your WordPress site, and reduce the risk of it being compromised. If you have any questions about our WordPress hosting services, feel free to contact our customer service by email at cs@dataplugs.com.