Boost WordPress Security:
13 Simple Tweaks to Keep Hackers Away

Keeping your website safe is more important than ever, especially if you’re using WordPress, which is a favorite target for hackers. While WordPress is great out of the box, its default settings can leave your site open to a lot of different security risks. The good news? You don’t need to be a tech expert to lock things down. With a few simple tweaks, you can make your WordPress site much more secure. In this post, we’ll cover 13 easy security settings you can use to protect your site from common threats. Whether you're new to WordPress or already have some experience, these tips will help you keep your website safe and sound.

1. Change Default Administrator's Username (CRITICAL)

   • WordPress creates an administrator user with the username 'admin'. This username needs to be changed, otherwise it leaves your site vulnerable to brute-force attacks targeting the 'admin' username. 

2. Restrict Access to Files and Directories (CRITICAL)

   • Incorrect file permissions can lead to unauthorized access by hackers.  If you're not confident doing this, ask your web host support center, or look at obtaining a developer skilled in Linux administration to help you out.

     • wp-config.php: 0600

     • Other files: 0644

     • Directories: 0755

3. Block Unauthorized Access to xmlrpc.php

   • Prevents unauthorized access to xmlrpc.php. Note: Custom .htaccess directives may override this.

4. Block Access to .htaccess and .htpasswd

   • Accessing these files can lead to various security exploits. This needs to be completed through the .htaccess file itself or your web host might have other security options to enable. 

5. Turn Off Pingbacks

   • Pingbacks allow other WordPress sites to leave comments under posts when linking to them. They can be abused for DDoS attacks. Turn off XML-RPC pingbacks for the entire site and disable them for previously created posts!

6. Disable File Editing in WordPress Dashboard

   • You should consider disabling of direct editing of plugin and theme files in the WordPress dashboard, adding a layer of security against compromised admin accounts injecting malicious code.

7. Block Author Scans

   • Prevents scans that try to find usernames of registered users, especially admins, to brute-force your login page. Note: Depending on permalink settings, this might prevent users from accessing author archive pages.

8. Block Directory Browsing (CRITICAL)

   • If directory browsing is enabled, attackers can gather sensitive information about your site. This option blocks directory browsing to enhance security.  This isn't just good WordPress security, this is important overall on your entire web server!

9. Forbid Execution of PHP Scripts in wp-includes Directory

   • Prevents execution of potentially insecure PHP files in the wp-includes directory. Note: Custom .htaccess directives may override this setting and should be adjusted.

10. Forbid Execution of PHP Scripts in wp-content/uploads Directory

    • Prevents execution of potentially insecure PHP files in the wp-content/uploads directory. Note: Custom .htaccess directives may override this setting and should be adjusted.

    • This, and #9 is solved by adding rules in your .htaccess files.
      # Block PHP execution in wp-content/uploads
      <Files *.php>
      Order allow,deny
      Deny from all
      </Files>

    • Be sure you know what you're doing and where you're placing this file!  It goes

11. Disable Script Concatenation for WordPress Admin Panel

    • Disables concatenation of scripts in the admin panel to prevent certain DoS attacks. This may slightly reduce admin panel performance but does not affect visitor experience.
      Simply add
      define('CONCATENATE_SCRIPTS', false);
      to your wp-config.php file.

12. Block Access to Sensitive Files (CRITICAL)

    • Prevents public access to files that may contain sensitive information, such as connection credentials or data that could help attackers identify applicable exploits.

    • You'll typically do this by editing your .htaccess file and adding some lines of code such as:
      # Block access to wp-config.php
      <Files wp-config.php>
      Order allow,deny
      Deny from all
      </Files>

    • Although above only shows for wp-config, you'll want rules to block any sensitive files!

13. Enable Bot Protection

    • Protects the website from harmful bots that overload it with unwanted requests. You may need to temporarily disable this protection if using online services to scan for vulnerabilities, as these often also use bots.  You'll want to look at WP plugins like Wordfence, Sucuri and iThemes Security. 

    • Add CAPTCHA to your forms - login, comment and registration forms!

    • Built out your .htaccess file - adding               rules to block known bad bots.  If not familiar with editing your .htaccess file, please seek out the assistance of a quality developer!

    • Rate limit your login attempts.  WordPress plugins can help you with this, or a security minded developer can implement this rather quickly for you.

    • Block IP address ranges from popular attacker regions like Ukraine and Pakistan. 

These options help to strengthen your WordPress installation against common threats, improving the security posture of your website.