How to secure WordPress website

WordPress is a PHP open source and free blogging platform system, with powerful features and ease of use. It is favored by many bloggers and has become the most users’ blogging system. Although wordpress has done a good job in terms of security, we still need to strengthen the security settings, because vulnerabilities will definitely exist, but they have not been found yet. Therefore, we must further strengthen the security of wordpress to avoid unnecessary losses due to vulnerabilities.

WordPress 5.0

Use the latest WordPress version

Every time wordpress is updated, it will be accompanied by patching of program vulnerabilities and security issues. Therefore, it is necessary to update to the latest version in time to prevent hackers from using the vulnerabilities found in the old version to attack your website.

Set complex passwords for Admin account

Improving security awareness can avoid many potential security risks, such as password selection. It is necessary to choose a strong password for the wordpress background to prevent it from being cracked.

Use sftp instead of ftp
sftp transmits files through secure encryption to prevent hackers from stealing sensitive files. Ordinary ftp is transmitted in plain text. Once a hacker successfully intercepts a data packet, the file will be presented in plain text. sftp is part of sshd. If you have the right to manage space through the ssh account, it means that you can use sftp to transfer files.
File permission settings
WordPress file permissions settings involve several directories:

Root directory /, wp-admin, wp-includes: All files should be set to have write permissions only to their own user accounts, and others should only be set to read permissions.

wp-content: User directory, which can be set to be writable by all users.

wp-content/themes: The theme directory, if you need to use the theme editor in the background, you need to set it as writable.

wp-content/plugins: Plugin directory, set only writable by your user account.

Database security
If the server runs multiple websites and uses the mysql database, it is recommended to specify a low-privileged user for each database. Database users need permissions: Alter, Delete, Create, Drop, Execute, Select, Update.
The specific command to add the mysql database is:

grant Alter,Delete,Create,Drop,Execute,Select,Update on dbname . * to ‘username′@’localhost’ identified by ‘password’;

Configure wp-admin page

  • Use captcha and complex password
  • Use ssl
  • Only allow specified IP login to the wp-admin page

Other

  • Hidden WordPress version
  • Rename WordPress admin account
  • Change table_prefix: changing the default table name prefix wp_ can prevent SQL injection attacks.
  • Back-up WordPress website