Open source training & tutorials from experienced, passionate people
By A Web Design
This is assuming that Wordpress is hosted on a Linux server. (Which it should be anyways).
Ensure that all Wordpress directories have 755 set as their permission.
Ensure that all Wordpress files have 644 set as their permission.
To know what are Linux based file permissions visit this link.
The wp-config.php file contains a section which invites a user to define a set of so-called secret keys. This will make your site more secure by giving it a unique set of keys.
You can generate these keys automatically by visiting the link provided https://api.wordpress.org/secret-key/1.1/ .
When first installing WordPress, you are prompted to change the prefix for all the database tables that your WordPress installation creates and uses.
By default this the Wordpress database prefix is set to “wp_ “.
Hackers know that “wp_” is the default and will thus lookout for this. If you change “wp_ “ to something more unique, such as your site name or something else, your Wordpress table will be that much tougher to find and your Blog that much more secure.
NOTE: To move the wp-config.php file outside public_html folder i.e. outside your website root directory please refer to Moving The WordPress configuration file outside The public_html Folder.
You can force the Browser and Web server use SSL to login to WordPress. Here’s how you can force SSL on login.
Add the two following lines to your wp-config.php file:
define('FORCE_SSL_LOGIN', true);
define ('FORCE_SSL_ADMIN', true);
The user name admin is not safe to use. Hackers know that most WordPress installs have an “admin” account and thus will try to hack in using brute force.
Immediately change the admin account to something else. Something less obvious to guess.
You can do this manually, by creating a new account with super administrator privileges.
Then login with this account and delete the admin account.
OR
Change the admin username with a MYSQL query using phpmyadmin:
Eg: update wp_user set user_login='newuser' where user_login='admin';</p>
<p>NOTE: Do remember to replace the word newuser with a word of your choice <br /> OR<br /> You will have to login as newuser to become the administrator of your Wordpress Blog.</p>
<h2>Move the wp-content folder</h2>
<p>To keep hackers away from the wp-content folder, move it and/or rename it.</p>
<p>Just add these two lines to your wp-config.php pointing to the correct url:<br /> define( 'WP_CONTENT_DIR', $_SERVER[DOCUMENT_ROOT] . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content');
NOTE: If you use the above lines exactly as they are then the folder to which you are moving wp-content is a folder by the name of blog in the root folder of your Wordpress install.
Keeping the default WordPress generator tag in your HTML code is a clear indicator for hackers that the website is being delivered by WordPress. This can and should be removed.
Add the following function to your functions.php file:
< ?php remove_action('wp_head', 'wp_generator'); ?>
Please wait...