By bitmap
Hi all,
I have a simple site based on Wordpress with Apache webserver. I’ve tried using Wordfence which is a security plugin, but it slows my site quite a bit and I was wondering if any one has any basic tops on how to secure Wordpress without having to add more plugins?
Note that I already have fail2ban enabled.
Thanks a lot!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
Hello,
I will try to focus purely on the Wordpress side of things, but of course, having a secure server is also extremely important.
Here are some of the things that I could suggest:
The basics:
-
Always update WordPress to the latest version Security is arguably the most important reason why you should keep your WordPress website up to date. You really do not have any excuses for not updating your WordPress version as this can be done with just a click of a button and it only takes a few seconds/minutes.
-
Keep an eye on your plugins I would strongly recommend to keep the plugin count to a minimum and always keep your plugins updated. More often than not attackers are able to gain access via an outdated plugin. I would also suggest deleting any plugins that you are not using
-
Delete any themes that you’re not using Quite often people would install a few themes and just leave them on the site disabled and outdated. This opens up a lot of vulnerabilities so I would suggest just deleting any themes that you do not use and just have your active theme installed.
The power of the .htaccess file - Here are some nice .htaccess rules that you could use in order to protect your site, this takes only a few minutes to copy and paste these rules into your .htaccess file so I strongly suggest that you add at least some of them.
- Protect your wp-config.php:
<files wp-config.php>
order allow,deny
deny from all
</files>
- Secure your
wp-includesfolder:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
- Protect the
.htaccess
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
- Disable hotlinking Note: Change the yourdomain.com part.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
- Disable directory listing
Options -Indexes
- Disable all
phpfiles in your uploads folder. This one is a bit more specific as you should not add it to your main.htaccessfile. Upload a file called .htaccess to the root of wp-content/uploads with the following line:
<Files *.php>
deny from all
</Files>
Protect your wp-admin area
-
Use 2FA - For example, you could try using the Google authentication plugin.
-
Enable limit login attempts - This would protect you against brute force attacks.
-
Enable reCacptcha - Generally speaking, this would protect you against any kind of bots.
-
Last but not least - Use a complex unique password for your admin user.
I hope that this helps and if anyone has any other suggestions please feel free to add them below!
- Bobby
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.