Last Revised: October 2, 2021
Here you will find different elements related to WordPress Security. There are general elements, available to everyone, and others that require technical or systems knowledge.
General
Learn general and basic elements about WordPress Security, in addition to the obligations you have as responsible for a website with WordPress.
Getting Started with WordPress Security
WordPress is a secure, open source and community-maintained system which makes it easily updatable as soon as any problems are detected.
Apply Common Sense to your WordPress site
They say that common sense is the least common of the senses, and that’s why I ask you a little bit of it.
Types of attack on WordPress
There are countless possible attacks on your site, since there are countless possible access points to them, either by WordPress itself, but also by the server, users, comments, script codes, etc.
Strong passwords for WordPress
What can we consider a strong password today? Well, probably one of 24 alphanumeric characters and with symbols. From there, whatever we want.
GDPR (General Data Protection Regulation) and WordPress
Among other details, this legislation would tell you that you have to collect information about some of the elements that WordPress provides on your site, such as user registration, comments, contact data from forms, data on analytics, etc.
Special
Here are some special materials on WordPress security that, in principle, can apply many elements together.
Clean up a hack
You may have been infected, hacked, attacked… any of these options are possible if your site has a security hole due to lack of update or a template or plugin.
Hosting
Web hosting servers for WordPress allow for some specific security elements for WordPress, in addition to general security systems.
WordPress Web Hosting Security
When we talk about security, web hosting and WordPress, the only conclusion that can be reached is: your web hosting provider has to offer you a secure platform.
Minimum versions for WordPress to work
What are the minimum versions required for WordPress to work properly?
Install a TLS/SSL certificate on WordPress
When we surf the Internet we want to do it safely. To do this we should browse trusted sites with the green bar or padlock.
PHP compatibility in WordPress
If WordPress has an important point it is that of PHP, and this is what is being promoted the most lately (if not almost always).
File permissions in WordPress
When performing a new installation of WordPress, an element to keep in mind is who owns the system files and what permissions they have to be read or written.
Block PHP on uploads in WordPress
In principle, when you upload files through the Multimedia panel, only elements such as images, text files and the like are allowed, but PHP files (the programming language with which WordPress is made) among others are not allowed.
External mail service
Junk mail (spam), that scourge of the Internet that many of us suffer every day in our inbox, is something that we must prevent from happening because of our website.
Disable HTTP TRACE/TRACK
TRACK and TRACE are two methods that are mainly used for analysis, but these methods, used in WordPress, can compromise the security of the site.
.htaccess for Apache and LiteSpeed
If you use Apache HTTPD or LiteSpeed, configure the .htaccess file at the root of your WordPress configuration in a complex way (more than the default).
.conf for nginx
If you use nginx, configure the .conf file of your WordPress configuration in a complex way (more than the default).
Database
We can apply some small changes to change default WordPress settings and complicate possible access to information.
Limit access to WordPress database
With regard to the database (MySQL, MariaDB …) there are few things to do properly from the point of view of WordPress, but you can put some complications for those who try to access it.
Avoid user numbering in WordPress
When WordPress tables are created, all auto-increment systems start at number 1.
Delete old copies of posts in WordPress
Once again we return to issues that mainly affect performance and, in this case, it is to empty the database of old copies of entries or pages.
WordPress
Although WordPress is very secure in itself, there are certain possible settings that can be applied directly on WordPress.
WP-Config: WordPress settings
The WordPress configuration file [wp-config.php] hides many functionalities that help improve the security and performance of the system. Do you know all the possibilities it offers you?
Las Security Keys de WordPress
Since version 2.6.0 of WordPress there are small algorithms to encrypt the data stored in cookies and make it more complex to know who you are or how to access your user.
Security in WordPress cookies
In a simple WordPress installation, we will specifically define where cookies will be stored so that they are not so easily accessible.
Remove WordPress headers and goals
Like most content management systems, WordPress clearly identifies itself and offers certain services that we will later use (or not).
Unify CSS and JavaScript in WordPress
In general, style files (CSS) and scripting files (JavaScript) include certain information such as versions, either in their name, inside, in some comments …
Hide WordPress version
The WordPress version is quite available, as it is part of the site’s code, so you have to hide it in various ways in various places.
Set up cache in WordPress
Again, what is probably a general and very useful recommendation, such as turning on WordPress caches, becomes an element that helps increase the security of your site.
Change WordPress default folders
When you talk about WordPress it is a classic to talk about the uvedoblepé content [/wp-content/] referring to the default folder where templates, files, etc. are located.
After WordPress installation
Once you have your WordPress installed, you can disable a series of URLs that you no longer need to access, neither you nor anyone else.
Block file editing in WordPress
People, in general, are curious by nature and that makes that, if from the administration panel you can touch something, we touch it.
Force WordPress site URL
One of the most common mistakes of an admin user in the WordPress admin panel is changing the URLs that appear on the first setup screen.
Prevent access to external servers from WordPress
WordPress is a content manager that allows countless options, including reading external elements or downloading other elements, such as templates and plugins.
Block XML-RPC in WordPress
One of the advantages of WordPress is its flexibility when it comes to being used by third-party applications, and for them many use the XML-RPC standard that allows interaction with the number of the content manager.
Limit access to WordPress wp-admin
Although we can change the default system folders, it is not possible to change those of the administration [/wp-admin/].
Automatic WordPress Updates
Keeping WordPress up to date is the key to avoiding security issues. WordPress is a secure system at its core, but plugin or template extensions are what can cause problems.
User Security in WordPress
In WordPress users have an important weight in the system. Whether you have the manager completely closed and only you access, or if you have a hundred people working with it, it is important to avoid that whoever does not have to access, does not.
Cleaning media in WordPress
Upload images, edit them, crop them and start over. Undoubtedly one of the biggest efforts in many versions of WordPress has been to work on improvements to the multimedia content editing system, mainly images.
Configure WordPress robots.txt
This text file tells search bots (such as GoogleBot, BingBot, YandexBot, Slurp!…) what they should and should not analyze about your site.
Set up a default template in WordPress
Although it is not usually something that usually happens, it is possible that your template fails for some reason (for some incompatibility, because some files are deleted …)
Turn off WordPress Emoji
WordPress has been integrating Emoji for many versions, turning icons from text to image. But this system involves some version detection issues.
Upload files of any kind to WordPress
When we talk about uploading multimedia elements through the administration panel we usually refer to images, documents and known files.
Active Safety
Apart from the improvements that can be made on WordPress itself, we can also work on the application of improvements that apply proactive security elements.
Install an Anti Spam in WordPress
A common attack on WordPress sites (mainly those that are focused on writing blog posts) is the one that is made of the comments through spam attacks.
Analyze your WordPress links
On many occasions the links stop working or are redirected to sites of, let’s say it finely, dubious quality.
Backups in WordPress
If we talk about security we have to talk about backups . It doesn’t make sense to put measures that help the security of your site if you don’t have a copy of it later that allows you to restore a failed configuration.
Set up a Firewall or WAF in WordPress
We can activate certain active security tools that try to avoid attacks or changes as much as possible in real time.
Check WordPress checksum
One of the fastest ways to check if a WordPress site has been compromised is to use some tool that validates the code in an inexpensive way.
Set up webmaster tools in WordPress
Having a WordPress is having a website, and as such it makes you a webmaster. This means that on the Internet you will find many tools that you can use to analyze your website.
WordPress and CDN
When it comes to scaling, caching, avoiding attacks there is never an ideal situation, but there are Internet services that help you protect yourself in a more or less simple way, such as CDNs.
Set up licenses in WordPress
There are paid services that require a license to operate and usually these licenses are added from the administration panel.
How to audit your WordPress
When we talk about security you have to have a prevention plan to be able to recover the data, but you also have to know what has happened to get to that point.
Developers
There are some elements from plugins and themes that help improve the security of the different added elements of WordPress.
Minimum PHP version for WordPress
For a few versions of WordPress, all those plugin developers can indicate the minimum version of PHP necessary for it to work.
Vulnerabilities
There are some security issues with WordPress that, while perhaps defined as not problematic, may require a small fix.
Mitigate WordPress CVE-2018-6389
Although it is not usually very normal, from time to time vulnerabilities appear in WordPress such as CVE-2018-6389.