WordPress Optimized!

More than just another WordPress site

Menu
Skip to content
  • Home
    • Privacy
    • Disclaimer
  • Index
  • Plugin
  • Errors
  • Troubleshooting
  • Security
  • Code Snippet
  • Performance
  • 2BearStudio
  • Posted on July 21, 2013September 30, 2013
  • by Jerry Wang

WordPress Security Tips: What Should Be Done after WordPress Installation

It takes only few clicks to install WordPress. But making your installation safer and securer needs further tweaks and checkups. Here a list of things I will go though when a WordPress installation is submitted to me for security enhancement. You should do this too.

1. No “admin” User

Default WordPress installation create a default administrator by the user name “admin” unless otherwise instructed. If you install WordPress by simply clicking through steps, you will get an “admin” user when finish installation for sure.

Having an “admin” doesn’t necessarily mean your website will be hacked. The famous WordPress Admin Brute Force Attack will try to crack into any site anyway. Leaving an “admin” user gives away 50% of login credential. If the password happen to be in the popular passwords list, such as “12345678”, the installation will be hacked within seconds.

2. No “wp_” Database Table Prefix

Same as how you get an “admin” user, you will get a “wp_” table prefix as default installation option. If so, the Change DB Prefix plugin can help you automatically fix this potential security concern. Apparently, the recommended solution is to change the “wp_” during setup, or change it right after setup.

* If your WordPress website has been up running for few years, with multiple plugins installed, applying this tip may break your website as I’ve encountered in a little percentage of sites among my management. Backup beforehand is not an option, but a must.

3. Update WordPress Security Keys

Open wp-config.php in your favorite text editor, also visit following page in web browser:

https://api.wordpress.org/secret-key/1.1/salt/

copy what you get (the security keys) in the browser, and paste them into place where you can find in wp-config.php like this:

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

/**#@-*/

In a nutshell, the security keys refer to 4 authentication keys and 4 hashing salts. They work together to add an extra layer of security to cookies and passwords, and make your site harder to hack.

If your site is installed properly, the Keys and Sales should be in place without manual update. But there are many different ways to install WordPress, always make sure this part is not left blank.

4. Remove Unwanted, Unnecessary & Inactive

WordPress, including its themes and plugins, is a software package. There are instructional documents for developers that are not required for running the website. You can check this blog to find out what files to remove. (WordPress Security Tip: Delete ReadMe after Installation).

Same rule applies to themes and plugins. Even you are a developer, you don’t need the both of the default themes “Twenty Eleven” & “Twenty Twelve”. If you are not running a blog, the plugin “Akismet” is not required as well. The idea is, if the website doesn’t need it, it shouldn’t be there.

5. Lock Down File Access

There are certain important system files containing WordPress configuration and other sensitive information you would like to keep private. Unlike those unnecessary files mentioned in tip #3, these files are crucial to WordPress and website operation. It is recommended to add extra protection by locking down file access from server level. (WordPress Security Tip: Lock Down File Access)

6. Disable Directory Browsing

WordPress is recommended to hosted on Apache server in Linux environment. Some hosting companies will DISABLE directory browsing by default, while others leave this ENABLED. A quick test can unveil the truth by browsing a folder like this::

http://yourdomain/wp-content/themes/
options-indexes-enabled
If it is DISABLED, you can get a 404 Page Not Fund, or 403 Forbidden (depend on your site setup). If this is ENABLED, you can see the directory list and browse through each individual folder. This is dangerous.

Add following lines to the .htaccess file (in the root directory of the website).

# Disable directory browsing
<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

If by any chance, “Options” is not allowed in .htaccess file by your hosting company, or this trick doesn’t work for you, create an empty index.php in every folder that you do not want user to browse.

7. Disable PHP Execution in Certain Directories

WordPress is a PHP based web application, by default, PHP execution is enabled globally. For security purpose, you should disable this in certain directories, such as

  • http://yourdomain/wp-content/uploads/
  • http://yourdomain/wp-includes/

To do so, create a blank file in your favorite text editor, and paste the following code in:

# Disable PHP execution
<Files *.php>
  Deny from all
</Files>

Save it as .htaccess, and upload it to /wp-content/uploads/ folder. Upload another one to /wp-includes/.

8. A Backup Plan

It doesn’t matter the installation is for development or live website, a scheduled backup plan is REQUIRED to prepare yourself for any unexpected event. In any extreme case, disaster can be easily recovered from the backup. To make sure the backup serves its purpose, the backup files should be stored on a secure and remote location that not on the same server where the website is hosted.

For WordPress backup, I recommend free plugin BackWPup. Or you can go for paid plug like Backup Buddy.

 

When installing WordPress via cPanel, some of the security measures have become a standard practice and been applied to every installation. It won’t hurt to check on every point that could possibly become a security bleach.

There are more things you can do to protect your WordPress installation and strengthen website security. While some of them aren’t really effective, and others will change the way users interact with the website. For example, limit login attempts & add 2-step authentication. You can keep on exploring the possibilities as you meet the new challenges.

 

Plugin:

  • Change DB Prefix
  • BACKWPup free
  • Backup Buddy
WordPress Security Tips: What Should Be Done after WordPress Installation was last modified: September 30th, 2013 by Jerry Wang

Share this:

  • Click to share on Facebook (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to print (Opens in new window)

Related posts:

  1. WordPress Security Tip – Avoid using these usernames
  2. Password Protect WordPress Admin Directory (wp-admin) for Enhanced Security
  3. WordPress Security Tip: Disable Theme and Plugin Editors in Admin Panel
  4. WordPress Security Tip: Lock Down File Access
  5. WordPress Security Tip: Delete ReadMe after Installation
Posted in Plugin, SecurityTagged .htaccess, Backup, Keys, Login, Prefix, Security, WP-CONFIG.PHP

Post navigation

Prev Seriously! How to Remove WordPress Version Number
Next WordPress Security Tip: Disable Theme and Plugin Editors in Admin Panel

Recent Posts

  • Make Uncode theme working on your DreamHost shared hosting account
  • Remove /?doing_wp_cron from URL
  • My New iMac Setup Troubleshooting
  • How to Replace Huge Image with Optimized Version the Easy Way
  • How to disable Guternberg Editor – the new Block Editor in WordPress 5
  • How to increase Max Input Vars on DreamHost shared hosting account
  • How to Upgrade to WordPress 5.0 without losing Classic Editor
  • WordPress Security Tip – Avoid using these usernames
The Ultimate Managed Hosting Platform

Recommended WordPress Hosting

Web Hosting  Fastest WordPress Hosting

Coupon & Promotion

  • 10% saving on S2Member Pro (Single-site)
  • 10% saving on S2Member Pro (Unlimited-site)
  • Hostgator 25% off coupon: 25offhosing

WordPress Themes & Plugins

 

Tags

.htaccess 404 500 add_filter() Admin Backup BackWPup Block Editor Coda Custom Post Type Debug DreamHost Email Error file Guternberg Hack IfModule Image Login Membership Memory Menu mobile pagination password Performance PHP Plugin Prefix redirect Revision S2Member Search Security Settings SSH Theme Troubleshooting Update Upgrade WooCommerce WP-CONFIG.PHP wp-login.php WSOD

Recommended Plugins

  Gravity Forms Plugin for WordPress   s2Member® (WordPress Membership Plugin)

Categories

  • Code Snippet (30)
  • General (17)
  • Mobile (3)
  • Performance (9)
  • Plugin (23)
  • Security (17)
  • Troubleshooting (29)

Archives

© Copyright 2021 – WordPress Optimized!
Retina Theme by WPAisle ⋅ Powered by WordPress