WordPress Hardening

According to statistics I found on the internet (lol) WordPress is 34% of all websites on the web. This translates to millions and millions of sites. As a professional working in the hosting industry I can vouch for the meteoric rise of WordPress. Over the years we decommissioned many Windows Servers (the old de facto standard) and built new cPanel servers to host WordPress sites.

Since WordPress is such a huge industry force it is also a massive target. Each theme, or plugin represents a unique attack vector for hackers. A neglected WordPress install is very likely to eventually get hacked. 

WordPress professionals need to prioritize hardening the install through some of these passive techniques. Active security can often be handled with a Web Application Firewall. (WAF) I recommend WordFence.

1. MOVE wp-config.php one folder above wordpress root directory

The wp-config.php file is critical to the operation of WordPress and often hackers may try to edit or read the file in       order to get access to the database. The MySQL credentials are stored in plaintext in the file. (danger!)

2. Set WordPress to auto update by editing wp-config.php add below wp-debug on line 80

 /** Automatic Updates */
define( 'WP_AUTO_UPDATE_CORE', true );

3. Lock access to index browsing and wp-login by adding to the end of the /public_html/.htaccess file.

Put your IP instead of For each new IP add a new allow line.

ErrorDocument 404 default
<Files wp-login.php>
Order deny,allow
Deny from all
Allow from
Options All -Indexes

4. Create .htaccess file inside wp-content/uploads

WordFence now has an option to restrict file execution within the uploads folder which will do the same thing as step 4.

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
    deny from all

5. Delete readme.html  & install.php from wordpress root directory.

Step 5 is legacy as you often may not find these files, and WordPress sometimes adds it back when a new version is installed.