Here are few simple WordPress security tricks I always implement in my projects
- Install WordPress in separate directory (i.e., not directly in web server’s root directory.
- Here is what my web server’s root directory looks like:
- Always (well, whenever available) update WordPress core, Theme, and Plugins.
- Only install plugins that are necessary and from trusted source as well.
- Use strong passwords for login/registration and change them frequently.
- Database prefix:
- Always change database prefix ( standard wp_ to some obscure e.g., 9102tob_ ).
- Using the security key features:
- In wp-config.php file, there are key values for encrypting user cookies. These key values allow WordPress to protect session information stored in user cookies. If you change any key value, the logged in user will be forced to login again.
- Use SSL:
- If you have set up SSL for your site, you can force visitors and administrators to login via SSL. Edit wp-config.php file, and add following code;
define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);
- Manage file permissions carefully:
- Use 644 for files and 755 for folders. Never use 777 permission to any file of directory.
- Disabling directory views:
- via .htacccess: Add this line “Options -Indexes” of code in your .htaccess file
- or simply you can add index.php or index.html to the directory in which you don’t want to content to be visible.
- Managing user roles:
- Understand WordPress roles before assigning them to any user account.
Other WordPress security measures:
- Using Security plugins
- Anti Spam plugin
- Using quiz in contact forms
- Using reCAPTCHA in contact forms