Let’s carry on where we left off last week (Part I and Part II).
II. Secure Important Components
16. WordPress Security Keys & Salts
WordPress developers introduced security keys starting from version 2.6. They exist to encrypt the cookie information stored on the end user’s computer.
You can find those keys in the wp-config.php file, the keys and salts generation process is automatically done for you during the automated installation.
Those keys add extra layer of security to your site as they encrypt vital information such as passwords.
If you install WordPress manually, you’ll need to generate them yourself and copy and paste them into the wp-config.php file. There’s a URL included in the wp-config.sample.php file that generates your unique keys and salts.
A WordPress salt is simply a random string of data that hashes the WordPress security keys in the wp-config.php file.
17. Disable XML-RPC
XML-RPC is a programming interface (API) that allows programmers and developers to talk to WordPress.
This function is enabled by default since WordPress 3.5. The problem with this function is that software can manipulate WordPress through XML-RPC. This makes it a possible security concern as hackers can abuse this to retrieve sensitive information such as usernames, internal opened ports.
The easy way to disable it is through plugin which named “Disable XML-RPC-API”
18. Web Hosting
This is the threat that most people don’t think about. Please consider when hosting providers offer a cheap price:
- Plenty of people who want cheap hosting will be signing up.
- They likely cut a few corners. Security cost money, so it could be one of the weaker aspects of your host.
- Check what version of PHP and MySQL or MariaDB the hosting provider uses because they should be kept up to date as this minimizes the chance of any security breaches.
- Accepts any type of sites, meaning your website may be on the same server as porn, gambling, and other undesirable topics. These may be more vulnerable to hacking attempts because of their content.
- Ask your hosting providers what other security measures they take to protect customer’s site. Do they regularly back their servers up? And in the event of a disaster, would they restore your site for free and in a timely manner? How do they maintain their servers? Anything specific to prevent hackers?
19. Wp-config.php
The wp-config.php file contains sensitive information. This includes things such as security keys & salts, usernames, passwords, and database names, etc.
If a hacker gets a hold of this file then there’s a higher chance that our site will be compromised. Because of that, it’s important to protect this file.
One way to do this is to move this file to a folder above your WordPress installation directory.
Alternatively, you can add a few lines of code to the .htaccess file as follows:
<files wp-config.php>
order allow, deny
deny from all
</files>
20. File Permissions
The following are expected file permissions:
- All directories should be 755
- All files should be 644, including the wp-config.php, .htaccess, and wp-admin/index.php files
This concludes our discussion today, with those 20 tips should secure your WordPress site against most threats discussed so far.
And thank you for taking your time and we’ll see you soon!