Website security is that many WordPress newbies are easy to overlook an important problem. How to ensure WordPress site security, but also many just contacts the WordPress experts when they face problems. This is a series of tutorials to teach you the introduction to a series of steps to protect your WordPress website security. Here are the 32 steps to WordPress website security ultimate checklist Step 23 ~ 27. Today we will see 23 to 27 step.
WordPress website security ultimate checklist Step 23 ~ 27
23. Prohibit execution of PHP code
If a hacker has hacked your site by some means. Then the first thing he/she has to do is probably execute the PHP code inside a certain folder. However, if you disable this feature, then even if your site is compromised, but your site will not have serious consequences.
This is an important step in securing a WordPress site and may affect the running of certain plugins and themes. However, you should at least limit the two directories wp-includes and uploads that are most likely to have problems.
You can put the following code into the .htaccess file. Or, you can limit the directory (such as above we say wp-includes and uploads directory）：
<files *.php> order allow,deny deny from all </files>
24. Isolate the WordPress database
If you have multiple sites on the same server, you might like all the sites to share the same database.
This will affect the security of the WordPress site. If one of the sites is hacked, other WordPress sites that use the same database may also be hacked.
When you set up a WordPress installation, the first thing you should wear a new database. Set a separate name for the database, a separate database username, and a separate password, which should not be the same as the database information of other sites.
This way, even if one of your sites is hacked, it won’t be hacked into other sites on your same server through the database.
25. Restrict permissions for database users
When you set up a WordPress site for the first time, due to the lack of information, you may set improper permissions to the database and bring risks.
Typically, database users need the following permissions: for the vast majority of WordPress site daily operations, only need to read and write permissions to the database for SELECT (select), INSERT (Insert), UPDATE (Update), and DELETE (delete).
You can remove these permissions for DROP (delete database or data table), ALTER (change data table), and GRANT (assign database or data table permissions).
Note: Some of the WordPress major version upgrades may require these permissions (such as to modify a data table), but most of the daily work does not need these permissions. You can change the settings temporarily when needed.
26. Prohibit File Editing
When you are just starting out, you may often want to tweak the theme, modify the plugins, so you need to edit these files. In addition to this, there is no need for WordPress administrators to edit PHP files in general.
Therefore, once your website development is complete, once it is up and running, you don’t have to edit the files.
At the same time, allowing administrators to edit these files, there may some security vulnerabilities. Because hackers generally hack to log into your site, then they can immediately modify your PHP file, the file in the arbitrary implant, they want to place the Trojan virus and other malicious code.
To prevent the administrator from editing these PHP files, you just put the following code into your wp-config.php file on it：
define ('DISALLOW_FILE_EDIT', true);
Or, You can use the All In One WP Security & Firewall to disable PHP file editing by going WP Security » FileSystem Security » PHP File Editing.
27. Protect wp-config.php file security
If you compare WordPress files to someone’s body, then the wp-config.php file is the human heart.
We are no longer here to explain the importance of the wp-config.php file, but we will cover it later. We just remember the fact that the wp-config.php file stores a lot of important information. It includes the database name of the WordPress site, username, password, authentication key, and some other important settings. Therefore, this document can be said to be very important. Simply prohibit anyone else from accessing the document.
We strongly recommend strengthening the WordPress core configuration file (wp-config.php) protection. You may want to transfer the location of the file to elevate wp-config.php. There is some controversy about the security of PHP files on the web. But everyone agrees that wp-config.php should be protected.
If you have not set the security measures described in step 23 above (to prohibit execution of PHP code) then you can add the following code to the htaccess file：
<files wp-config.php> order allow, deny deny from all < / files>
Of course, if you have strictly enforced step 23, then there is no need to carry out this step.
(Unfinished, continue reading…）