Blog and News.

  • November 8, 2017

Security for Corporate WordPress Sites


The most important aspect is WordPress is also the easiest: keep your WordPress core, themes, and plugins updated.

Lock down things you are not using:

Once your site is rolled out, you probably do not need the plugin and theme editor. Disable this by adding this line in wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

You might also want to disable plugin & theme update installation & updates (you’ll still have to run your updates manually, of course):

define ( 'DISALLOW_FILE_MODS', true );

Restrict how users can log in:

  • Limit login attempts (plenty of plugins do this)
  • Use secure passwords
  • Two-step authentication
  • Force SSL for Admin (most likely you will have to do this on the hosting side)

Protect wp-config.php:

  • Move the wp-config.php file up one folder to prevent people accessing it
  • Don’t use the table prefix wp_ to prevent site being identified as WordPress
  • Move wp-content directory to make it more difficult for bots to find out what plugins you have installed
    define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/blog/wp-content' );
    define( 'WP_CONTENT_URL', 'http://example/' );

Do not backup locally using plugin

Yes, do back up your site. A good hosting service may have options for this. But avoid using a plugin, as these are quite easy to exploit.

Be obscure:

  • Do not give the admin the username “admin” — it is too easy to guess and is exploitable
  • Remove WordPress version from header, to prevent identification as WordPress site
  • Avoid password protect wp-admin — can break front-end ajax requests and with proper login protection

Top it off with security plugins:

The main focus of website security is server-side. But plugins do add an extra layer of security so it never hurts to throw one into the mix.

This article is a composite of several external sources. Full credit to the following for providing excellent advice on keeping WordPress secure:

  • Presentation by Marko Heijnen at WordCamp Tokyo 2016

Subscribe to this blog!

Share now on social media:



x 1.48