1 | Change table prefix for all WordPress tables | Change table prefix from wp_ to something else. You can change this either setting up or in wp-config.php file. |
2 | Is WP version and Plugin versions, updated? | Always make sure that you are using the updated WP and plugin versions. |
3 | Delete/Remove any themes or plugins that are not active. | Remove the inactive themes or plugins that are not in use. |
4 | Keep only one theme as backup and remove the rest unwanted themes | Keep on of the default theme as fallback and remove the rest of the theme. |
5 | Make sure 404 page is created. | Make sure that the 404 error page is created. |
6 | Do not use root/admin user accounts. Every user should has his own account. | Prevent using root/admin user accounts. These will be dummy accounts and can easily be recognized. |
7 | Create an editor role user account specifically for publishing the content | To differentiate and keep the track of the contents update it will be ideal to have an editor account for publishing content. So that no other settings are changed. |
8 | Update the admin email address. | Update the admin email address to client’s email. |
9 | Enable site to be crawled | Uncheck the discourage indexing checkbox for the live site. |
10 | Change Security Key (Generator provided by WordPress.org) | Change the Security key/Salt key generated by WP. |
11 | Delete wp-config-sample.php | Remove the config sample file. |
| <mark style={{display: ‘block’, padding: ‘inherit’, background: ‘#ffeb3b52’ }}>Security guidelines | |
12 | Change the login slug | Change the login slug. To verify this, enter the domain name with /login ( https://lorem.com/login) the page should redirect to 404 page and If it opens the login page then your site not secure. |
13 | Enable two factor authentication | Enable the two factor authentication to enhance the security for the users logging in. |
14 | Use strong passwords for login | Set strongs passwords for the users created. This will prevent hackers from manipulating your password easily |
15 | Hide login error messages | ”Error login messages may expose your website and give hackers an idea if they’ve gotten username correct/incorrect, vice versa. It is wise to hide it from unauthorized login. To hide login error messages, simply put the following code in functions.php. php function wrong_login() { return 'Wrong username or password.'; } add_filter('login_errors', 'wrong_login') |
16 | Limit login attempts | Limit login attempts in order to prevent your site from brute force attack. |
17 | Block the Rest API | Block REST API if it is not in use |
18 | Manage 301 redirect | Add 301 redirection for the links requested by the clients. |
19 | Test for Responsiveness: | “Ensure that your website is responsive and mobile ready by running Google’s Mobile Friendly Test. URL: https://search.google.com/test/mobile-friendly” |
20 | Limit meta title | Make sure all pages and posts have a unique title, fewer than 70 characters. |
21 | Limit meta description | Make sure all pages and posts have unique meta descriptions, fewer than 156 characters. |
22 | Create robot.txt file | Allow indexing for only the folder you want to get tracked in the SEO. Deny the indexing for the files with sensitive data. |
23 | Protect your wp-config file | As wp-config.php file contains all the confidential details of your site, so it’s pretty important that you protect it at all costs. |
24 | Following files should not be accessible and should be redirected to 404 page - /readme.html
- /license.txt
- /wp-admin/install.php
| Prevent users from accessing the following files. Add the redirection rule to .htaccess. |
25 | Disable Theme and plugin Editor | Disable file edit via wp-config.php by adding the following code: define('DISALLOW_FILE_EDIT',true); |
26 | Compress Images | Make sure to reduce all the image sizes by compressing files using WP Smush plugin. |
27 | Site speed optimization | Make sure the necessary steps are taken to optimize the site speed. |
28 | Set correct permissions to file and folders | For security all the folders should have 755 permission and files should have 644 permission. |
29 | Setup Weekly Databsae backup | Make sure to setup DB backupon weekly basis. |
30 | Disable comments if it is not in used. | Disable the commenting options if that is not used. |
31 | Prevent Directory Access | Prevent your directory from gtting accessed. So accomplish this add the follwoing code in the .htaccess file. Prevent folder browsing Options All -Indexes |
32 | Scan the website for viruses, malware, and security breaches | Scan for viruses, malware and security breaches if you find any resolve them. |
| <mark style={{display: ‘block’, padding: ‘inherit’, background: ‘#ffeb3b52’ }}>Additional Security pointers | |
33 | Remove the wlwmanifest Link | The wlwmanifest tag is another meta tag that shows up on every WordPress website. The tag is used by Windows Live Writer, which is an almost obsolete app used to publish directly to WordPress. Removing this line of code will marginally improve the load time, reduce the DOM size and enhance Googlebot crawl process (one link less to follow).
remove_action('wp_head', 'wlwmanifest_link'); |
34 | Disable XML-RPC | add_filter( 'xmlrpc_enabled', '__return_false' ); |
35 | Disabled the RSD service | ”RSD is a discovery service that helps discover Pingbacks and XML-RPC on WordPress blogs. As we’ve disabled XML-RPC and Pingbacks, then we can safely disable RSD as well. To disable it, use this code into the theme’s functions.php file:
remove_action( 'wp_head', 'rsd_link' ) ; |
36 | Limit post revisions | define ('WP_POST_REVISIONS', 3); |
36 | Unload the code from blog functionalities (If the blogs are not in use on the site) | |
36 | Disable pingbacks and trackbacks (If blogs/default post not in use) | Note: From the dashboard settings it will disable Pingbacks only on new posts, but the Pingbacks on older posts will remain enabled. To disable Pingbacks on older posts, follow these steps: - Go to Posts > All Posts
- Bulk select all posts
- In the Bulk Actions drop-down, choose Edit and then Apply
- In the Pings dropdown, choose ‘Do not allow
- Click Update.
|
36 | Make sure site do not have any Unsafe Cross-Origin in Links | if there is any external link added to the site then make sure the anchor tag has the following attribute set rel="noopener noreferrer" |