Before you deploy a WordPress site to production, you should follow an action checklist that ensures the security of your site. We put together a checklist to help you get started with your WordPress security.
Install Security Plugins
Several types of security plugins could help to stop attacks. These plugins will stop XSS, brute-force attacks on passwords, file traversal, and malicious uploads. Even with these security plugins, it’s still important to monitor your WordPress set to identify attacks.
Install an SSL/HTTPS Certificate
An SSL/TLS certificate will add security to your user connections to stop data eavesdropping. An SSL/TLS certificate is also crucial for search engine ranking, so it should be a priority before you deploy the WordPress set to a production server.
Disable PHP Script Execution
By default, WordPress configures specific directories with write permissions so that users can upload images, plugins, and themes. If an attacker exploits any vulnerabilities in this functionality, the site could be leveraged to host malware or PHP scripts injected into the codebase. To avoid becoming a host for malicious scripts and code, the WordPress site should be configured to disable PHP script execution.
Disable Directory Indexing and Browsing
When directories can be browsed, search engines can index the list of readable files, and attackers can view any readable file to gain insight into the way the site is configured and set up.
Scan WordPress for Malware Frequently
Although the above steps reduce risk, they don’t completely eliminate it. To keep your website safe, you must scan it for any threats and monitor activity. A monitoring system will detect unusual traffic patterns and activity so that you can detect and eliminate malware. When malware or malicious code is introduced to the system, a good monitoring system will detect and remediate it automatically.
Create Backups
Backups are a key component in disaster recovery. If you cannot recover from downtime using other methods, backups will recover the system to a previous point in time. Backups are also necessary if your WordPress site falls victim to a ransomware attack. They should be stored in a safe location and tested to ensure that they are not corrupted.
Disable XML-RPC in WordPress
The XML-RPC functionality in WordPress allows you to upload content remotely using a third-party client. Unless you absolutely need to remotely upload content, this functionality should be disabled to reduce the risk of compromise. You can easily disable XML-RPC by using a plugin that allows you to control remote access.
Use a Web Application Firewall (WAF)
A WAF can stop many of the attacks that leverage vulnerabilities in plugin and theme code. Imunify360’s WAF will stop XSS, malicious PHP scripts, brute-force password attacks, and SQL injection. To combat outdated software vulnerabilities, Imunify360 will also patch your WordPress software and monitor for unauthorized activities.
Modify the WordPress Database Table Prefix
When attackers craft their SQL injection scripts, they mostly assume that the targeted site owner uses the default wp_ prefix on all WordPress tables. This prefix can be changed during the installation process. It does not eliminate all SQL injection vulnerabilities, but it stops any script where an attacker assumes that WordPress tables have the default prefix.
Disable File Editing
The WordPress application has a file editing option that will allow users to change content, including theme items. If an attacker can exploit any vulnerabilities, the content within your site could be compromised with hidden malware, redirects, or third-party links. You should lock down editing so that only the administrator can edit files and theme configurations.