Categories:> Blog, Website Design

Website Security through WordPress Hardening

WordPress Hardening is a must for ensuring website security and prevent hacks or unauthorized access

It is extremely important to fortify your website against security threats. If you have a WordPress website, certain easy website security measures listed here can help you protect your website. These measures are collectively termed as WordPress Hardening. You can read more about it here.

At Appycodes, we offer WordPress Hardening as a value-added service for clients looking for that additional layer of security.

Based on our experience in website security, following easy-to-implement measures work well.

1.      Update WordPress and Plugins

One should always keep the latest version of WordPress and installed plugins since newer versions have taken care of the security breaches identified in the previous versions.

But take care to back-up your website before making any update, as some updates might cause the website to stop functioning properly.

2.      Set appropriate File Permissions

This is probably the most important hardening measure after point number 1.

Most hacks take place by gaining access to WordPress system files. To prevent unauthorized access, here’s what you need to do:

  • Set all folder permissions to 755
  • Set all file permissions to 644
  • For files that one might need to edit in WordPress admin, set permission to 666 (example css for custom CSS styling, .htaccess to allow re-write rules)

3.      Admin Username

Can you guess what the default WordPress admin username is? You’re right, it’s admin.

Since you could guess that so easily, others can as well. This is a potential loop-hole in your website security. So, always use an admin username other than the default one.

4.      Hide WordPress Version

Knowledge of WordPress version gives added advantage to hackers to break through your website security. To prevent displaying the version publicly, add the following line to the functions.php file in your theme directory

<?php remove_action(‘ wp_head’ , ‘ wp_generator’ ) ; ?>

5. Limit full website searches

Go to your theme folder and find the following lines of code

<?php echo $_SERVER [ ‘ PHP_SELF’ ] ; ?>

You will mostly find them in a file called search.php. Replace the above lines with the following:

<?php bloginfo (‘ home’ ) ; ?>

5.      Disallow system files from being indexed by search engines

Add the following line to the robots.txt

Disallow: /wp‐*

6.      Restrict File Access to WordPress Content Directory

Create a blank .htaccess file in the wp-content directory and include the following lines. This will prevent access to system files (e.g. PHP) which should not be accessed from outsiders

Oder Allow, Deny
Deny From all
<Files ~ “\. (css| jpeg| png| gif| js) $”>
Allow from all

7.      Stop SQL / Script Injections

Script injections are one of the most classical ways to bypass your website security. You should include the following lines in .htaccess within wp-­content (We created a .htaccess file remember?)

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\| %3E) [ NC, OR] RewriteCond %{QUERY_STRING} GLOBALS(=| \[ | \%[ 0
‐9A‐Z] {0, 2}) [ OR] RewriteCond %{QUERY_STRING} _REQUEST(=| \[ | \%[ 0‐9A‐Z] {0, 2})
RewriteRule ^(. *) $ index. php [ F, L]


To know more about WordPress hardening and website security, visit this link or feel free to get in touch with us

Your comment

2 − 1 =