This document outlines 15 ways to improve WordPress security, including: 1. Choosing a hosting provider with strong security features rather than just price 2. Enabling automatic background updates for security releases in WordPress versions 3.7 and higher 3. Regularly updating plugins, deleting unused plugins, avoiding duplicate plugins, and checking compatibility before core updates

1. Top 15 Wordpress Security
Issues
By CodePappa.com

2. Choosing Hosting provider
Should consider the security features provided by hosting
company before we chose, i.e. Price should not be the only
reason while choosing a hosting provider.

3. Automatic Background Updates for Security Releases
Its good practise that when ever a security update available
for WordPress, just make sure to update. Starting with
version 3.7, WordPress introduced automated background
updates for all minor releases, such as 3.7.1 and 3.7.2. The
WordPress Security Team can identify, fix, and push out
automated security enhancements for WordPress without the
site owner needing to do anything on their end. Also make
sure not to download wp core updates from 3rd party website.

4. Plugins
1.Always update plugin.
2.Delete unused plugins.
3.Don’t use multiple plugins for same use.
4.Check compatibility of plugin before updating WordPress
core.

5. Security Theme
We should be cautious while purchasing premium themes or
purchasing from not genuine source, Sometimes saving few
bucks by purchasing a cheap theme may cost you more than what
you saved by purchase.

6. Regular checks
We should check our WordPress installation regularly. Also we
need to back up database and WordPress files daily. So that
in case of mishap we can able to up online as soon as
possible with out too much headache. There are lots of free
plugin for the same purpose.

7. Vulnerability on computer
Make sure operating system and softwares updated to latest.
Virus, malware , spyware , key logger etc are capable of
stealing your important data from your computer without any
visible problem.

8. Passwords
Use strong passwords and don’t used default user name
“admin”. Also enable two factor authentication, Lot of
plugins currently providing two factor authentication in
WordPress plugins. Enabling two factor authentication will
help you from Brute force attacks

9. How to choose a good password?
1.Don’t use your username.
2.Don’t use any meaningful words or sentence.
3.Don’t use small passwords.
4.Include special characters and alphanumeric with upper
and lowercase.

10. FTP and SFTP
FTP(file transfer protocol) and SFTP(secure file transfer
protocol) are two protocols used for file transfer. If your
hosting company provides SFTP use it rather than FTP.

11. File permissions
You should care about the file permissions also. Use command
line interface or ftp program to change file permissions as
follows.
/ (root directory) : Except .htaccess (if need WordPress
to write url rewriting rules for you )file all files should
only writable by you.
/wp-admin/ : Writing to this folder should only allowed
to your account.

12. /wp-includes/ : Only you allowed to write.
/wp-content/ : You and webserver allowed to write.
/wp-content/themes/ : If using built in theme editor
you and webserver allowded to write otherwise only you.
/wp-content/themes/ : Only you allowed to write.

13. MySql Security
If you are managing mysql, Don’t allow remote TCP connection
to mysql.
Edit mysql configuration file(my.cnf) and add following line
skip-networking
Location of Mysql Configuration File
mysql --help | grep Default -A 1

14. Minimum privilege for mysql User
WordPress only required CREATE,UPDATE,INSERT AND DELETE
permissions, So mysql user only required that permissions
only, But when you are updating WordPress or installing a
plugin you may need to give permissions (DROP, ALTER and
GRANT) temporarily. Without giving those permission don’t try
to update WordPress/plugins that may result in WordPress
errors. So make a backup before updates.

15. Securing wp-includes
Files under this folder is not intended to accessed by a
user. So we can modify .htaccess file in such a way that
access to those files are not allowed. Please note that this
code place only outside the # BEGIN WordPress and # END
WordPress tags in the .htaccess file, Other wise WordPress
will overwrite our changes to .htaccess file. Also this will
not work well in multisite setup.

16. # Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule> # BEGIN WordPress

17. Securing wp-config.php
Disable accessing wp-config.php by adding following rule to
.htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>

18. Don’t allow file edits from Wp Dashboard
Disable it by adding following code in wp-config.php
define('DISALLOW_FILE_EDIT', true);

19. Last not the least
1.Don’t use default admin username
2.Don’t use wp table prefix

20. Conclusion
These are the few things we can do from our side. Thanks for
reading. Like and subscribe now to get videos from
CodePappa.com