Two of my favorite sessions of WordCamp NYC 2009 were:
- Locking Down the Chastity Belt on WordPress Security by Brad Williams
- Writing Secure Plugins by Mark Jaquith [slides here]
There are real threats out there and there are real sites being hacked. Sure, you could be the lucky guy who can stay safe. But, instead of counting on pure luck, why not take a few minutes to apply these simple steps that will bring your WordPress site to a higher security level and give you more peace of mind.
WordPress Security Tips
Stage | Difficulty | Tip |
Installation | Easy | “wp_” table prefix Do NOT use default “wp_” table prefix. Instead, choose something unique for your site. |
Anytime | Easy | “admin” user Create a user with “administrator” privilege. Delete “admin” user account. |
Anytime | Medium (need FTP) | wp-config.php Move “wp-config.php” to one level above the WordPress folder. (Version 2.6 or later and when WordPress is installed under a subfolder under web root, for example /public_html/blog/) |
Anytime | Medium | Folder (wp-content/upload) permission First try 755; if not work, then 775; still not work, then 777. |
Anytime | Easy | Security Plugins
|
Anytime | Medium | Authentication Unique Keys Open “wp-config.php”, follow the instructions to set up these keys. https://api.wordpress.org/secret-key/1.1/ |
Anytime | Difficult | .htaccess lockdown Modify .htaccess to only allow access to wp-admin to one or a range of IP addresses. |
Development | Difficult | Develop themes or plug-ins Follow instructions on: http://codex.wordpress.org/Data_Validation |
[…] : WordCampTV Locking Down the Chastity Belt on WordPress Security – Brad Williams : Vimeo | review Writing Your First Core Patch – Matt Martz (sivel) : slides Intermediate Plugin Development […]
I’m impressed! You’ve managed the almost ipmsoibsle.