Today we are adding some advanced security techniques to your defensive arsenal. Many of these solutions are specific to WordPress websites, but there are some that apply more globally. Some of these ideas may require some outside professional help to implement, but if your business relies on your website, they are probably worth the extra expense.
- Google Search Console – Formerly known as Google Webmaster tools, this is a free Google service that yo may already be subscribed to. If SEO and page rank, are important to you, or if you are using Adsense or Adwords, you should be using the Search Console too. Logon to your Google account, navigate to Search Console, and update your site information. Create a new listing if necessary. Among other things, Google will notify you if they detect malicious activity on your website.
- WordPress security keys – You can use a plugin like Salt Shaker to change your WordPress security keys, or generate your own keys at WordPress.org. Make sure to modify your wp-config.php file with the new key information.
- Use .htaccess – Create your own .htaccess file or use a plugin, making sure to protect the WP admin area, password protect the WP admin folder, disable directory browsing, disable PHP execution in certain directories, and protect your wp-config.php file
- Disable XML-RPC – Delete the xmlrpc.php file to prevent an avenue for password guessing attacks.
- Disable PHP error reporting – PHP error reporting is used by developers for de-bugging. But showing PHP errors to site visitors can reveal version information and possibly exploitable code. Change the php.ini or wp-config.php file.
- Use HTTPS – By July Google will begin telling Chrome web browser users that HTTP sites are insecure. Adding a security certificate to your site to encrypt communications between your site and your site visitors is becoming an industry standard. Costs have dropped, and free certificates are available from Let’s Encrypt.
Many of these items have lengthy and detailed procedures, and I have included links to the details below. Our next post looks at how to clean a site that has been infected or compromised, and wraps up this series.
- WordPress Security Learning Center
- How To Secure WordPress
- WordPress Security Wizard: Lock Down Your WordPress Site From Hackers by Rolland Dhar
- WordPress Security: An Introduction to Hardening WordPress
- Google Search Console
- How to use .htaccess
- 9 Most Useful htaccess Tricks for WordPress
- Editing wp-config.php
- Change WP security keys
- Disable PHP error reporting