22/11/2016

WordPressSecurityComplete17StepGuide

Web News & Insights

Search...

(https://www.keycdn.com/blog/) (https://twitter.com/keycdn) (https://www.linkedin.com/company/keycdn)

(http://www.facebook.com/keycdn) (https://www.keycdn.com/blog/feed/)

WordPress Security Complete 17 Step Guide

B R I A N J A C K S O N | U P D A T E D : A U G U S T 1 7 , 2 0 1 6

WordPress is the most popular CMS on the web and is now powering over 26.5% of all websites
(http://w3techs.com/technologies/details/cm-wordpress/all/all). Since it holds such a large piece of the market share it brings additional
security concerns and increases your risk of attack when vulnerabilitiesare discovered. Follow our complete guide below on what you can
do to harden your WordPress security and help prevent yourself from getting hacked orbecoming a victim of the next brute-force
attack.

WordPress Vulnerabilities
Where are you at risk the most when it comes to WordPress? Well, according to WP Scan (http://wpscan.org/), a black box WordPress
vulnerability scanner, there are have been 4618vulnerabilities (2,355unique) reported to date. 52% of the vulnerabilities reported
were WordPress plugins.WordPress core accounts for 37% and WordPress themes account for 11%. This has also been conrmed by
Wordfence ndings where they discoveredthat 55.9% of vulnerabilities came from plugins
(https://www.wordfence.com/blog/2016/03/attackers-gain-access-wordpress-sites/).

https://www.keycdn.com/blog/wordpresssecurity/

1/17

22/11/2016

WordPressSecurityComplete17StepGuide

Src: WP Scan Vulnerabilities by Component (https://wpvulndb.com/statistics)

What types of vulnerabilities are they? According to WP Scan, 39% of WordPress vulnerabilities arecross-site scripting (XSS
(https://en.wikipedia.org/wiki/Cross-site_scripting)). Here is the breakdown of the rest in order:
SQLI: 15%
Upload: 11%
CSRF: 7%
Multi: 6%
Unknown: 6%
LFI: 3%
RCE: 3%
FPD: 2%
Auth bypass: 2%
RFI: 2%
Bypass: 2%
Redirect: < 1%
XXE:< 1%
DOS< 1%
SSRF:< 1%
And below are the top WordPress versions with the most vulnerabilities. As you can see WordPress 3.8.1 and 3.7.1have the most
security vulnerabilities.

https://www.keycdn.com/blog/wordpresssecurity/

2/17

22/11/2016

WordPressSecurityComplete17StepGuide

Src: WP Scan WordPress Versions with Vulnerabilities (https://wpvulndb.com/statistics)

Here are some recommended sites to stay on top of all of the WordPress security vulnerabilities.
WP Security Bloggers (http://www.wpsecuritybloggers.com/blog)An aggregate feed of over 15 security sources
WP Scan Vulnerability Database (https://wpvulndb.com/)
Sucuri WordPress Security Blog (https://blog.sucuri.net/category/wordpress-security)
CVE Details (http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/)

WordPress Security2016
As you can see there are probably a lot more security vulnerabilities than you even thought! They are constantly popping up which means
you are always at risk of being attacked or hacked. You can never prevent these things from happening 100% of the time, the best thing
you can do is implementthe bestsecurity practices to protect yourself. Follow the recommendations below to harden your
WordPress security.

WordPress Security Index

1. Keep WordPress and Plugins Up to Date
2. Smart Usernames and Passwords
3. Two Factor Authentication
4. WordPress Security Plugins
5. Block Bad Bots
6. Secure Connections
7. File Permissions
8. Database Security
9. Lock Down WordPress Login
10. Securing wp-cong.php
11. Disable Includes Browsing and File Editing
12. SSL Certicate
13. Disable XML-RPC
14. Disable JSON REST API
15. Disable File Editing in the Dashboard
16. Harden HTTP Security Headers
17. Hide WordPress Version

1. Keep WordPress and Plugins Up to Date

You should always keep your version of WordPress up to date (http://codex.wordpress.org/Updating_WordPress) as well as all of
your plugins.Developers patch these for a reason and if you fall too far behind you will open yourself up to a lot of vulnerabilities, as
hackers generally target older versions. You can always download the latest version of WordPress from wordpress.org

https://www.keycdn.com/blog/wordpresssecurity/

3/17

22/11/2016

WordPressSecurityComplete17StepGuide

(https://wordpress.org/). Since WordPress 3.7, WordPress has added automatic updates, which means you will most likely see the update
in your dashboard and you can simply click to update.

It is also recommended to only use trusted WordPress plugins and themes. Get your plugins and themes from the WordPress
repository or from well-known companies. This will cause less problems for you in the future.
Always back up your website!If you maintain regular backups (http://codex.wordpress.org/WordPress_Backups) this allows you to
easily rollback if you are attacked, and restore your website. We also recommend running backups before you update your WordPress
version and plugins.If you happen to be on a managed WordPress host many of them now oer one-click staging areas which are perfect
for testing updates before you touch your production site.
There are also many backup plugins availablewhich you can use to backup your WordPress site and database. Here are some popular
ones:
VaultPress (https://wordpress.org/plugins/vaultpress/)
UpdraftPlus Backup and Restoration (https://wordpress.org/plugins/updraftplus/)
blogVault (https://wordpress.org/plugins/blogvault-real-time-backup/)
BackWPup Free (https://wordpress.org/plugins/backwpup/)

2. Use Smart Usernames and Passwords

Be smart with your usernames and password in WordPress. Dont user admin as your username and choose a complex
password.This is probably one of the best ways to harden your WordPress security, and ironically it is one of the easiest. However many
people use something they can easily remember such as 1234567 and end up regretting later when they are caught with a brute-force
attack. Remember there are bots constantly crawling the internet and as your site grows they will always be trying to spoof your login. See
this guide on how to choose a strong password (http://www.bu.edu/infosec/howtos/how-to-choose-a-password/)and this guide on how
to change your WordPress admin username (https://premium.wpmudev.org/blog/change-admin-username/).

Around8%ofhackedWordPresswebsitesaredowntoweakpasswords.WPTemplate
(http://www.wptemplate.com/features/safetyandsecurityofwordpressblog
infographic.html)

We recommend using a free program like KeePass (http://keepass.info/) or KeePassX (https://www.keepassx.org/) which allow you to
generate secure passwords and store them in a database locally on your computer.

3. Two Factor Authentication

You can also enable two-factor authentication on your WordPress install to further prevent someone from getting access to your
site.We highly recommend the free Google Authenticator (https://wordpress.org/plugins/google-authenticator/) plugin. It is free for an
unlimited amount of users. Simply install the plugin and click into a user account. You can then setup two factor authentication by
creating a new secret key or by simply scanning the QR code. Then make sure to mark it Active.

https://www.keycdn.com/blog/wordpresssecurity/

4/17

22/11/2016

WordPressSecurityComplete17StepGuide

(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/wordpress-two-factor-authentication.webp)
Your login page will then have an additional option for your Google Authenticator code.

(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/two-factor-login-wordpress.webp)
Here are some additional plugins that feature two-factor auth.
Clef Two-Factor Authentication (https://wordpress.org/plugins/wpclef/)
Wordfence Security (https://wordpress.org/plugins/wordfence/)
Two-Factor Authentication (Google Authenticator) (https://wordpress.org/plugins/miniorange-2-factor-authentication/)
Simple Security Firewall (https://wordpress.org/plugins/wp-simple-rewall/)

4. Use WordPress Security Plugins

https://www.keycdn.com/blog/wordpresssecurity/

5/17

22/11/2016

WordPressSecurityComplete17StepGuide

There are a lot of good WordPress security plugins which will lock down your site andhelp protect you from brute-force attacks. These
plugins allow you to block malicious networks, view WHOIS reports on visitors, rate limit or block security threats, enforce strong

passwords, scan for vulnerabilities, see which les have changed, implement a rewall to block common security threats, monitor DNS
changes, view real-time trac and much more.

Src: Wordfence Real-Time Trac (https://www.wordfence.com)

Here are some popular WordPress security plugins:

Sucuri Security (https://wordpress.org/plugins/sucuri-scanner/)
iThemes Security (https://wordpress.org/plugins/better-wp-security/)
Wordfence Security (https://wordpress.org/plugins/wordfence/)
Simple Security Firewall (https://wordpress.org/plugins/wp-simple-rewall/)
We highly recommend the freeWP fail2ban (https://wordpress.org/plugins/wp-fail2ban/) plugin.fail2ban is one of the simplest and most
eective security measures you can implement to prevent brute-force password-guessing attacks. This plugin is very lightweight. Note:
you must have fail2ban installed and congured (https://www.linode.com/docs/security/using-fail2ban-for-security) on your server to use
this plugin.
There is also another great WordPress security log plugin which we personally recommend:WP Security Audit Log
(https://wordpress.org/plugins/wp-security-audit-log/). This is especially useful for multiple author sites and being able to quickly see what
pages and posts were last changed.

https://www.keycdn.com/blog/wordpresssecurity/

6/17

22/11/2016

WordPressSecurityComplete17StepGuide

5.Block Bad Bots

There are always bad bots, scrapers, and crawlers hitting your WordPress sites and stealing your bandwidth. See a comprehensive list of
bots at botreports.com (http://www.botreports.com/). Many of the security plugins mentioned above can work great to block bad bots,
but sometimes you might need to do this at the server level. If you wanted to block multiple UserAgent strings at once, you could add
the following to your .htaccess le.

RewriteEngineOn
RewriteCond%{HTTP_USER_AGENT}^.*(agent1|Wget|CatallSpider).*$[NC]
RewriteRule.*[F,L]

Or you can also use the BrowserMatchNoCase directive like this:

BrowserMatchNoCase"agent1"bots
BrowserMatchNoCase"Wget"bots
BrowserMatchNoCase"CatallSpider"bots
OrderAllow,Deny
AllowfromALL
Denyfromenv=bots

And here is an example on Nginx.

if($http_user_agent~(agent1|Wget|CatallSpider)){
return403;
}

KeyCDN also now has a feature which you can enable to block bad bots (https://www.keycdn.com/blog/block-bad-bots/) on the CDN side
to save money on bandwidth.
https://www.keycdn.com/blog/wordpresssecurity/

7/17

22/11/2016

WordPressSecurityComplete17StepGuide

6. Always Use Secure Connections

No matter where you are you should always trying to ensure the connections you are using are secure. You should use SFTP encryption
if your web host provides it, or SSH. If you are using an FTP client the default port for SFTP is usually 22.

Note: Some FTP clients store passwords encoded or in plain text on your computer. Even some encoded passwords can be converted
back to the original. We recommend not saving FTP passwords in the client, or setting up what some call a master password
(https://winscp.net/eng/docs/master_password).
It is also important to make sure your rewall rules (http://www.techworld.com/tutorial/security/home-router-security-2015-9-settingsthat-will-keep-bad-guys-out-3609122/) are setup properly on your home router. And remember whenever you work from a public place
like an internet cafe or Starbucks these are not trusted networks.
Your web host where your website resides should also be running secured hosting. This means they should be running up to date and
supported versions of PHP, MySQL, account isolation, web application rewalls, etc. Be careful with cheap shared hosts as you can run
into issues if they are overcrowding servers and sharing IPs.

7. Check File Permissions

To protect your website you want to make sure and use the correct le permissions. Each directory and le has dierent permissions
which allow people to read, write and modify them. If your permissions are too loose this could open up a door for an intruder and if they
are too restrictive this could break your WordPress install as plugins and WP core needs to be able to write to certain directories.
Below is an example of a possible permission scheme. All les should be owned by your user account, and should be writable by you. Any
le that needs write access from WordPress should be writable by the web server.
/ : All les in the root WordPress directory should be writable only by your user account, except .htaccess if you want WordPress to
automatically generate rewrite rules for you.
/wp-admin/ :All les in the WordPress administration area should be writable only by your user account.
/wp-includes/ : All les in the wp-includes folder should be writable only by your user account.
/wp-content/ : The content in the wp-content folder is usually user supplied and is intended to be writable by your user account and the
web server process.
/wp-content/themes/ : If you want to use the built-in theme editor, all les in the themes folder need to be writable by the web server
process. If you do not want to use the built-in theme editor, all les can be writable only by your user account.
/wp-content/plugins/ : All les in the plugins folder should be writable only by your user account.
Other directories that may be present with /wpcontent/ should be documented by whichever plugin or theme requires them.
Permissions may vary. To reset the default le permissions on your WordPress installation, you may use the following commands within a
CLI.

https://www.keycdn.com/blog/wordpresssecurity/

8/17

22/11/2016

WordPressSecurityComplete17StepGuide

find/path/to/site/typefexecchmod664{}\;
find/path/to/site/typedexecchmod775{}\;
chgrpRwwwdata/path/to/site/

Additionally, the WordPress Codex has an in-depth guide on changing le permissions

(https://codex.wordpress.org/Changing_File_Permissions) and recommendations for what they should be set to.

8. Database Security
Not only do you need to check permissions on your les but there are also things you can do to harden the security on your WordPress
database. The rst thing we recommend is using a dierent table prex. By default WordPress uses wp_ .If you change this to something
like x3sdf_ it will make it much harder to guess by an intruder.
You can change your table prex on the setup screen when you are installing WordPress.

Src: WP Site Building (http://wpsitebuilding.com/wordpress-installation)

If you already have WordPress installed, you can use of these popular WordPress plugins below to change the prex or change the
database prex via phpMyAdmin (http://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prex-to-improvesecurity/).
Sucuri Security (https://wordpress.org/plugins/sucuri-scanner/)
iThemes Security (https://wordpress.org/plugins/better-wp-security/)
Change DB Prex (https://wordpress.org/plugins/db-prex-change/)
The second recommendation would be to change your database name (https://premium.wpmudev.org/blog/change-database-name/) to
make it harder to guess.

9.Lock DownWordPress Login Page

Locking down your /wpadmin login page is by far the easiest security precaution you can implement.On most websites there are
thousands of failed login attempts per day that you probably never even realized. With many of the security plugins we mentioned above
you can actually see a log of how many attempts there are.

https://www.keycdn.com/blog/wordpresssecurity/

9/17

22/11/2016

WordPressSecurityComplete17StepGuide

Src: Small Biz Geek WordFence (http://www.smallbizgeek.co.uk/tools/wordfence/)

And if you are using admin as your username, which you shouldnt be, dont be surprised to see a very high number! What can you do?
Well, there are a couple things. One is that many of the security plugins allow you to limit the login attempts allowed in their
conguration pages.

The second thing you could do is actually changeyour login URL. There is a great little free WordPress plugin called WPS Hide Login
(https://wordpress.org/plugins/wps-hide-login/) which will do just that. Feel free to get creative and make your login URL something hard
to guess. You will instantly see the number of login attempts drop dramatically after doing this.

Using the security plugins you can also limit access to your login URL by restricting it to an IP address in your .htaccess le or even
password protect your login page (http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admindirectory/).

10. Securing wp-cong.php

Your wpconfig.php contains all the necessary information for an intruder to gain access to your database. This is the most important
le in your entire WordPress install. There are a couple things you can do to protect it.
1. You can prevent the le from being accessed by adding a snippet to your .htaccess le.

https://www.keycdn.com/blog/wordpresssecurity/

10/17

22/11/2016

WordPressSecurityComplete17StepGuide

<Fileswpconfig.php>
orderallow,deny
denyfromall
</Files>

2. You can also move your wpconfig.php le to a non-www accessibledirectory. Some have argued about the benets of this, but
here is a good explanation (http://wordpress.stackexchange.com/questions/58391/is-moving-wp-cong-outside-the-web-root-reallybenecial/74972#74972).
To move your wpconfig.php le simply copy everything out of it into a dierent le. Then in your wpconfig.php le you can place the
following snippet to simply include your other le. Note: the directory path will dier based on your web host and setup.

<?php
include('/home/yourname/config.php');

3. WordPress Security Keys handle the encryption of information stored in users cookies. By default these are generated randomly for
each WordPress install. But if your WP site has gone through a couple migrations or changed hands it can be good to regenerate
fresh encryption keys. WordPress actually provides aSalt Key Generator (https://api.wordpress.org/secret-key/1.1/salt/)which you
can use to obtain a fresh random set of keys.

(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/secret-keys-wp-cong-le.webp)

11. Disable Includes Browsing and File Editing

Another common security issue is that people leave their http://www.domain.com/wpincludes/ directory wide open for browsing.
Hackers can easily nd potential exploits by sning through those les. Or even determine the version of WordPress you might be
running, based on included les. If setup correctly this directory should return a 403 forbidden error.
To prevent access simply add the following snippet to your .htaccess le.

#Blocktheincludeonlyfiles.
<IfModulemod_rewrite.c>
RewriteEngineOn
RewriteBase/
RewriteRule^wpadmin/includes/[F,L]
RewriteRule!^wpincludes/[S=3]
RewriteRule^wpincludes/[^/]+\.php$[F,L]
RewriteRule^wpincludes/js/tinymce/langs/.+\.php[F,L]
RewriteRule^wpincludes/themecompat/[F,L]
</IfModule>

Andif youre on Nginx use this.

location~*wpadmin/includes{denyall;}
location~*wpincludes/themecompat/{denyall;}
location~*wpincludes/js/tinymce/langs/.*.php{denyall;}
location/wpincludes/{internal;}

https://www.keycdn.com/blog/wordpresssecurity/

11/17

22/11/2016

WordPressSecurityComplete17StepGuide

12. SSL Certicate

It always comes back around to moving to secure web. For eCommerce sites, the reason you need an SSL certicate is because they are
processing sensitive data. For other sites the biggest reason for this is your WordPress login page. If you arent running over an HTTPS
connection your username and password are sent in clear text over the internet. You can see an example in this article on how to
actuallysni and capture WordPress logins (http://www.wpwhitesecurity.com/wordpress-security/hacking-wordpress-login-capturingusernames-passwords/)over unsecured connections using these free tools. Many people will argue that blogs and informational sites
dont need to be running on HTTPS, but how important are your login credentials? Also, many sites have multiple authors logging in from
all sorts of dierent networks, so running over a secured connection can only help harden your WordPress security.

We wrote a guide on how to migrate from HTTP to HTTPS (https://www.keycdn.com/blog/http-to-https/). Once you are running on HTTPS
it is recommended to force SSL usage by adding the following to your wpconfig.php le.

define('FORCE_SSL_ADMIN',true);

With theSEO advantages of HTTPs and performance benets of HTTP/2 (https://www.keycdn.com/support/http2/) there is no reason not
to be using an SSL certicate. And with the Lets Encrypt project moving forward, web hosts and CDNs are already starting to oer free
certs.

13. Disable XML-RPC

A while back there were a number of brute force attacks exploitingXML-RPC (https://blog.sucuri.net/2014/07/new-brute-force-attacksexploiting-xmlrpc-in-wordpress.html) in WordPress, as reported by Sucuri. 99% of people most likely dont use this function anyways and
can disable it. There is a great article from Jesse Nickles on how (and why) to disable WordPress XML-RPC
(https://www.littlebizzy.com/blog/disable-xml-rpc).
You can install the free WordPress pluginDisable XML-RPC (https://wordpress.org/plugins/disable-xml-rpc/)from the WordPress
repository.Basicallythis plugin disables the XML-RPC API on a WordPress site running 3.5 or above. You can also block access to this le:

Block XML-RPC in Apache

##blockanyattemptedXMLRPCrequests
<Filesxmlrpc.php>
orderdeny,allow
denyfromall
allowfrom123.123.123.123
</Files>

Block XML-RPC in Nginx

##blockanyattemptedXMLRPCrequests
location=/xmlrpc.php{
denyall;
}

You can test to see if XML-RPC is successfully blocked by running it through the WordPress XML-RPC validation service
(http://xmlrpc.eritreo.it/).

https://www.keycdn.com/blog/wordpresssecurity/

12/17

22/11/2016

WordPressSecurityComplete17StepGuide

14. Disable JSON REST API

Included in WordPress since version 4.4 is the JSON REST API. This is used by a lot of plugin developers to retrieve data using GET
requests. But it could also open up your site to DDoS attacks and other things. You can easily disable it by adding the following code to
your functions.php le. Note: This may break certain plugins if they are using the JSON REST API. Usually they will warn you if they are.

add_filter('json_enabled','__return_false');
add_filter('json_jsonp_enabled','__return_false');

Alternatively you can also download and install the free Disable JSON API (https://wordpress.org/plugins/disable-json-api/) plugin if you
arent comfortable with editing your code.Note: Theplugin onlyuses the lters built into the ocial WordPress REST API meant for
disabling its functionality. So long as your other REST API does not also use those lters to allow itself to be disabled (and it shouldnt), you
should be safe.

15. Disable File Editing in the Dashboard

One last thing that is recommended is to disable le editing from within the dashboard. And we are referring to the les you can
normally edit directly from Editor under the Appearance menu in your dashboard. If you really need to make changes to those les, do
it over SFTP.

To disable this method of le editing, simply add this following snippet to your wpconfig.php le.

define(DISALLOW_FILE_EDIT,true);

16.Harden HTTP Security Headers

HTTP security headersprovide yet another layer of security for your WordPress site by helping to mitigate attacks and security
vulnerabilities. They usually only require a small conguration change on your web server. These headers tell your browser how to
behave when handling your sites content. Below are six common HTTP security headers we recommend implementing and or updating.

https://www.keycdn.com/blog/wordpresssecurity/

13/17

22/11/2016

WordPressSecurityComplete17StepGuide

(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/wordpress-security-headers.webp)
Content-Security Policy (https://www.keycdn.com/support/content-security-policy/)
X-XSS-Protection (https://www.keycdn.com/blog/http-security-headers/)
Strict-Transport-Security (https://www.keycdn.com/support/http-strict-transport-security/)
X-Frame-Options (https://www.keycdn.com/blog/http-security-headers/)
Public-Key-Pins (https://scotthelme.co.uk/hpkp-http-public-key-pinning/)
X-Content-Type (https://www.keycdn.com/blog/http-security-headers/)
Make sure to check out our in-depth post on HTTP security headers (https://www.keycdn.com/blog/http-security-headers/).

17.Hide WordPress Version

Another good suggestion is to hide your WordPress version. Anyone that looks at the source code of your site can easily tell what version
of WordPress you are running and if you arent good at staying up with the latest updates this can be a welcome sign for hackers.

(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/wordpress-security-remove-version-number.webp)
WPBeginner (http://www.wpbeginner.com/wp-tutorials/the-right-way-to-remove-wordpress-version-number/), came up with a good
solution. Simply add this to your functions.php le.

functionwpversion_remove_version(){
return'';
}
add_filter('the_generator','wpversion_remove_version');

Also, you need to delete the readme.html le located in the root of your WordPress install because this also contains the WordPress
version.

https://www.keycdn.com/blog/wordpresssecurity/

14/17

22/11/2016

WordPressSecurityComplete17StepGuide

(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/wordpress-readme-le.webp)
Simply login via FTP and delete it.

domain.com/readme.html

Summary
As you can see there are many ways you can harden your WordPress security. From keeping WordPress and plugins up to date, being
smart with usernames and passwords, using security plugins, secure connections, database security tricks, locking down your WordPress
login page, securing your wp-cong.php le, using an SSL certicate and more. Many of these recommendations can be implemented
within a matter of minutes and you can rest easy knowing your WordPress site a little more secure from intruders and hackers.
Have any other good WordPress security tips that you think we missed? If so, let us know below in the comments!

Related Articles
Complete Guide: How to Migrate from HTTP to HTTPS (https://www.keycdn.com/blog/http-to-https/)
Complete Guide: How to Speed Up WordPress (https://www.keycdn.com/blog/speed-up-wordpress/)

#PERFMATTERS

250GB Free Trac (https://www.keycdn.com/signup/?a=1&utm_source=keycdn&utm_medium=cta&utm_campaign=widget2)

Supercharge your Website with KeyCDN
HTTP/2 - Free SSL - RESTful API - 25 POPs - Instant Purge

10Comments

KeyCDNBlog

Recommend

Share

Login

SortbyBest

Jointhediscussion
LiewCF4monthsago

ThanksfortheWPpluginrecommendations.WPfail2ban+WPSHideLoginmakeagoodsecuritycombo!
4

Reply
https://www.keycdn.com/blog/wordpresssecurity/

15/17

22/11/2016

WordPressSecurityComplete17StepGuide
4

Reply Share

BrianJackson>LiewCF4monthsago

Definitelyagree,thatisagreatcombo.

Reply Share
EtVeritasLiberabitVosamonthago

Forhidewpversionthereisalso:
remove_action('wp_head','wp_generator')

Reply Share
EtVeritasLiberabitVosamonthago

thanksforpost.aboutreadme.htmlmaybeisbettertohideitlikexmlrpc.phpbecauseafterupgradeIsupposethisisaddedagain.
<filesreadme.html="">
Orderallow,deny
Denyfromall
</files>

Reply Share
TyrohnWhite3monthsago

Articlewithgoodinfographicsandwhichexplainedeverydetail.KeeppostingarticlestospreadmoreinformationaboutWordPress.

Reply Share
LucyBarret3monthsago

SecurityofyourWordPresswebsiteistheprimeconcernforeverysiteorblogowner.Sucharticlesdohelpingreatdealforthosewhoarenewto
WordPress.

Reply Share
VladaSmitka4monthsago

IhavejusttranslatedmyslidesaboutWPsecurityfromWordCampPrague2016,hopeitcanbehelpfulhttp://www.slideshare.net/vsmi...

Reply Share
KasparLavik5monthsago

Outstandingpost!Thanksforsharingyourgreatexperiencethroughthiseffectiveandhelpfultips.

Reply Share
TonyPerez5monthsago

Nicearticle@BrianJackson
ThanksforreferencingSucuri,becauseyoureferencestatsIthoughtyoumightalsowanttotakealookatourQ1Trendreport:
https://sucuri.net/websitesec...itmightprovidebetterinsightsintotheimpactsvulnerabilitiesarehavinginthecommunity.
Also,asI'msureyouknow,notallvulnerabilitiesareequal.Sosayingtherehavebeenalotofvulnerabilitieswouldbeseendifferentifdifferentiating
betweenlowandhighlevelissues.XSSisaperfectexampleofthat,halfofthosedisclosuresarelowlevelseverityissuesandnotexploitableat
scale.Foodforthought..:)
Thanksfortheshare,andnicetoseeKeyCDNsharingtheseinsights.
Tony

Reply Share
charles5monthsago

Hello,thisisaverygoodpostonsecurity.
Ilikeespeciallythepartonmovingwpconfigfiles,
however,itseemsthatihaveencounteredsomeproblemofgettingittoworkaspertheabovestatedsettingsandmethods:
"Tomoveyourwpconfig.phpfilesimplycopyeverythingoutofitintoadifferentfile.Theninyourwpconfig.phpfileyoucanplacethefollowing
snippettosimplyincludeyourotherfile.Note:thedirectorypathwilldifferbasedonyourwebhostandsetup."

Reply Share

ALSOONKEYCDNBLOG

WhatIstheDifferenceBetweenIPv4andIPv6?

OptimizeImagesforWebUltimateGuide

3comments11daysago

5comments6monthsago

AvatarThankyou!YouarethebestCDNintheworld!
FromRussiawithlove=)

AvatarIbrahimNergiz Nicearticle,thankyouallguys!

TheLowdownonCDNDynamicContent

WaterfallAnalysisDivingIntoYourWebsitesRequests

10comments4monthsago

1comment5monthsago

Avatarkingkool68IwroteapluginforWordPressthatdoesexactlywhatthis
articledescribeshttps://github.com/kingkool68/...Youcanrun

AvatarPaulBrarenWhataterrificcollectionofspeedoptimizationtips,thank
you!

Subscribe d AddDisqustoyoursiteAddDisqusAdd
https://www.keycdn.com/blog/wordpresssecurity/

Privacy

16/17

22/11/2016

WordPressSecurityComplete17StepGuide

Subscribe d AddDisqustoyoursiteAddDisqusAdd

Privacy

Product
Features (/features)
Network (/network)
Benets (/benets)
Pricing (/pricing)
Sign Up (/signup)
Login (/login)

Company
About Us (/about)
Careers (/careers)
Blog (/blog)
Aliate (/aliate)
Contact (/contacts)
Legal (/legal)

Support
Knowledge Base (/support)
Network Status (https://status.keycdn.com)
Community (https://community.keycdn.com/)
FAQ (/faq)
Tools (https://tools.keycdn.com)
Open Source (/open-source-cdn)

Solutions
Website Performance (/website-performance)
Software Distribution (/software-distribution)
Game & App Delivery (/game-app-delivery)
CDN Hosting (/cdn-hosting)
Video CDN (/video-cdn)
Ad Serving (/ad-serving)

Connect
LinkedIn (https://www.linkedin.com/company/keycdn)
Facebook (http://www.facebook.com/keycdn)
Twitter (https://twitter.com/keycdn)

https://www.keycdn.com/blog/wordpresssecurity/

17/17