32 steps to WordPress website security ultimate checklist: Step 23 ~ 27

Website security is that many WordPress newbies are easy to overlook an important problem. How to ensure WordPress site security, but also many just contacts the WordPress experts when they face problems. This is a series of tutorials to teach you the introduction to a series of steps to protect your WordPress website security. Here are the 32 steps to WordPress website security ultimate checklist Step 23 ~ 27. Today we will see 23 to 27 step.

WordPress website security ultimate checklist Step 23

WordPress website security ultimate checklist Step 23 ~ 27

23. Prohibit execution of PHP code

If a hacker has hacked your site by some means. Then the first thing he/she has to do is probably execute the PHP code inside a certain folder. However, if you disable this feature, then even if your site is compromised, but your site will not have serious consequences.

This is an important step in securing a WordPress site and may affect the running of certain plugins and themes. However, you should at least limit the two directories wp-includes and uploads that are most likely to have problems.

You can put the following code into the .htaccess file. Or, you can limit the directory (such as above we say wp-includes and uploads directory):

<files *.php>
order allow,deny
deny from all

24. Isolate the WordPress database

If you have multiple sites on the same server, you might like all the sites to share the same database.

This will affect the security of the WordPress site. If one of the sites is hacked, other WordPress sites that use the same database may also be hacked.

When you set up a WordPress installation, the first thing you should wear a new database. Set a separate name for the database, a separate database username, and a separate password, which should not be the same as the database information of other sites.

This way, even if one of your sites is hacked, it won’t be hacked into other sites on your same server through the database.

25. Restrict permissions for database users

When you set up a WordPress site for the first time, due to the lack of information, you may set improper permissions to the database and bring risks.

Typically, database users need the following permissions: for the vast majority of WordPress site daily operations, only need to read and write permissions to the database for SELECT (select), INSERT (Insert), UPDATE (Update), and DELETE (delete).

You can remove these permissions for DROP (delete database or data table), ALTER (change data table), and GRANT (assign database or data table permissions).

Note: Some of the WordPress major version upgrades may require these permissions (such as to modify a data table), but most of the daily work does not need these permissions. You can change the settings temporarily when needed.

26. Prohibit File Editing

When you are just starting out, you may often want to tweak the theme, modify the plugins, so you need to edit these files. In addition to this, there is no need for WordPress administrators to edit PHP files in general.

Therefore, once your website development is complete, once it is up and running, you don’t have to edit the files.

At the same time, allowing administrators to edit these files, there may some security vulnerabilities. Because hackers generally hack to log into your site, then they can immediately modify your PHP file, the file in the arbitrary implant, they want to place the Trojan virus and other malicious code.

To prevent the administrator from editing these PHP files, you just put the following code into your wp-config.php file on it:

define ('DISALLOW_FILE_EDIT', true);

Or, You can use the All In One WP Security & Firewall to disable PHP file editing by going WP Security » FileSystem Security » PHP File Editing.

WordPress website security ultimate checklist Step 23

27. Protect wp-config.php file security

If you compare WordPress files to someone’s body, then the wp-config.php file is the human heart.

We are no longer here to explain the importance of the wp-config.php file, but we will cover it later. We just remember the fact that the wp-config.php file stores a lot of important information. It includes the database name of the WordPress site, username, password, authentication key, and some other important settings. Therefore, this document can be said to be very important. Simply prohibit anyone else from accessing the document.

We strongly recommend strengthening the WordPress core configuration file (wp-config.php) protection. You may want to transfer the location of the file to elevate wp-config.php. There is some controversy about the security of PHP files on the web. But everyone agrees that wp-config.php should be protected.

If you have not set the security measures described in step 23 above (to prohibit execution of PHP code) then you can add the following code to the htaccess file:

<files wp-config.php>
order allow, deny
deny from all
< / files>

Of course, if you have strictly enforced step 23, then there is no need to carry out this step.

Also read: Top 10 Things To Do After Installing WordPress

If you liked this article, then please follow us on social media and don’t forget to Subscribe to our mail list.

(Unfinished, continue reading…)

You May Also Like

About the Author: WPC Staff

WPCrons staff has long-term experience of WordPress & like to constantly spot problems and plotting how to solve them. We believe you don't need to be a nerd or a programmer or a network engineer to make a difference.

Leave a Reply

Thanks for choosing to leave a reply. Your opinions and comments are very important to us, and your email address will NOT be published. If you need a private conversation then use our contact form. Please add an avatar if you do not have and make the comment section more beautiful.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Accept! No, thanks!

Why my browser don’t show me the coupon?

By default, Google Chrome and some other browser block pop-ups from automatically showing up on your screen. When a pop-up is blocked, the address bar will be marked Pop-up blocked Pop-up blocked.

ComputerAndroidiPhone & iPad

  1. On your computer, open Chrome.
  2. At the top right, click More More and then Settings.
  3. Under “Privacy and security,” click Site settings.
  4. Click Pop-ups and redirects.
  5. At the top, turn the setting to Allowed or Blocked.

  1. On your Android phone or tablet, open the Chrome app Chrome.
  2. To the right of the address bar, tap More More Settings.
  3. Tap Site settings and then Pop-ups and redirects.
  4. Turn Pop-ups and redirects on or off.

  1. On your iPhone or iPad, open the Chrome app Chrome.
  2. Tap More More and then Settings Settings.
  3. Tap Content Settings and then Block Pop-ups.
  4. Turn Block Pop-ups on or off.

Share via


Subscribe to get FREE updates

Join 1000s of readers around the globe. Don’t worry. We also don’t like Spam. We are weekly.


We are using affiliate links & images from respective product sites in our articles occasionally, means that if you click on one of the links and purchase an item, we may receive a commission (at no additional cost to you). All the reviews & opinions (positive or negative) are 100% our own. We are not getting any money to write them. The trademarks mentioned in this website belong to the respective companies. All the articles are information purpose only, to help someone to educate & save money. In case any problem with the content, you can reach us anytime through our contact us page »