HOW-TO: To improve the security in WordPress without plugins

The security in WordPress is one of those subjects to which we do not give too much importance, at least until we underwent an attack or somebody brings back to consciousness to us as attempt to do I with you;). Today I want to show a few ways to you to make of your Web a place more surely so that you can live calmer and, as I like, without using plugins of third parties.

Some of the points that I want to treat you already I commented them in the article 28 essential adjustments after installing WordPress, so although I will make mention to them I will try not to extend too much. You will see that some are very basic questions but that often we let escape. With this article I do not mean that you must include all the suggestions that I do to you, but assures to you to fulfill a pair at least. Kind!

Mant©n WordPress, plugins and up-to-date groups

When WordPress is updated and it offers a new version to you generally does not do it by whim. Day to day they come new vulnerabilities to the light and they are corrected by means of these patches. Ten in account that is a CMS of most popular and for that reason victim of an army of ready whom they try to make things that are not well.

Certainly you ask yourself: and why they were going to want to enter my Web if I do not have traffic nor important information. Probably they do not look for anything of that, not even they are bothered in erasing your work in which as much persistence you put¦ what perhaps they want is to use your servant to send emails or to generate any type of Spam, and that you can generate problems in the long run as being blacklisteado of many ISPs.

And this not only extends Core of WordPress, always updates plugins who you use as well as the groups. Recently by Yoast arose a vulnerability in famous plugin WordPress SEO, and all the plugins do not enjoy the same support, so taken care of with them.

Only password surely is the one that never you are able to remember

It uses a strong password, in serious, you do it. Accustom to you. I am going to give the trick to you that I use to remember a strong password without problems and later you do what you love¦ I already I warned to you.

Now in serious, it is a very problematic subject. It is shelp that it must have a minimum of 6 characters, to combine capital letters and small letters, etc. Another will tell you that they do not have to be words of the dictionary, that you invent a random chain of letters or symbols¦ it is not either necessary to obsess itself in this way.

What you must do is to use password different in each service or Web, you must try that it is difficult and this only you will obtain increasing it to the number of characters, adding symbols and numbers. Later assure once in a while to change it to you and of being able to remember it!

Desinstala plugins and subjects that you do not use

If there is something hatred more than plugin is plugin that is not updated. And if it existed something worse still would be plugin that no longer receives support, and there are them. They are time bombs, a perfect hollow so that anyone is strained less in your Web at the thought moment, and you do not want that, hey?

Plugins eliminates these and all those that do not contribute something to you essential and that you cannot do without them. With templates it is the same history, flock all and only leaves your parent theme and child theme that I hope that you are using, already I told you how so you do not have excuses.

It changes keys that comes by defect when installing WordPress

This also you I commented it in the mega guide of adjustments, that certainly you have read and you even have the pdf that I did and I send you when subscribing you to the blog.

In your wp-config.php you will find a text similar to the following one, you will only have to replace it with which you will see when entering the generator of keys of WordPress. Here the text that you must replace:

it defines (˜AUTH_KEY™, ˜putt your unique phrase here™);
it defines (˜SECURE_AUTH_KEY™, ˜putt your unique phrase here™);
it defines (˜LOGGED_IN_KEY™, ˜putt your unique phrase here™);
it defines (˜NONCE_KEY™, ˜putt your unique phrase here™);
it defines (˜AUTH_SALT™, ˜putt your unique phrase here™);
it defines (˜SECURE_AUTH_SALT™, ˜putt your unique phrase here™);
it defines (˜LOGGED_IN_SALT™, ˜putt your unique phrase here™);
it defines (˜NONCE_SALT™, ˜putt your unique phrase here™);

At least privileges have a user better

If you have several editors in your blog or the Web of your easiest and comfortable company are to give powers of administrator all. It is a very common and bad practice that can generate many problems, since they will have access to installation, update and edition of plugins, as well as to changes in the aspect of the Web or content.

WordPress puts easy limiting to you the privileges, so it tries to always use the most suitable profile when you create a user. In addition, in case some user does not have a suitable password and they seize of his account¦ will be a lightening it to have done.

But not only I talk about to WordPress. If it is possible, a user in MySQL with the right permissions uses to execute SELECT, INSERT, DELETE and UPDATE; the majority of time you will not need more privileges, only when you want to install or to update. It is a form to limit the damages in case somebody is strained in our data base!

It changes to the user admin and deshabilita the publisher of archives

This also I commented it to you in the other article but it comes well to remember it. By WordPress defect it calls to the installation user œadmin, assure to change it to you although always you will be in time through the data base and putting one to him that you remember. Later it modifies the user profile so that is to the alias or the name publicly with the purpose of to avoid to show the user that you use to initiate session.

The second recommendation of this point is to deshabilitar the publisher of archives who comes integrated with WordPress. The reason as already I commented to you is to avoid that it touches it who does not have, since this in your wp-config.php can ruin the Web to you only with looking it 😉 to deactivate it pon:

it defines (˜DISALLOW_FILE_EDIT™, true);

It changes the area code that uses WordPress in the data base

By defect all the tables you will know that they have the area code œwp_ œ. Why it is important to change it? Because at the moment that exists a vulnerability, by means of injection SQL, they will be able to modify any table in the best one of the cases and much more. You are going to be able to avoid that this happens if you put a random area code? Good, he is safer, although there are forms to be able to find out it.

You do it, who do not cost anything and never the sluggish thing is known that they can be some villains. If you have not done it you do not worry, there are forms to do it once either is installed WordPress, or I will tell you how in another article.

Correct permissions for folders and archives in WordPress

Although it is a discussed subject and of that you can find information anywhere does not cost anything to dedicate to him to two minutes 😉 In summary, your files and folders must have the following permissions:

  • Folders: 775 or 755
  • Archives: 664 or 644
  • Wp-config.php: 600

For any doubt or special configurations in some type of certain servant always it is good for throwing a look to him to codex. Ah! And nothing to much less put recursivos permissions to the folder of Plugins or Uploads and things thus, permissions 777!

It protects WordPress by means of .htaccess

Several methods exist to increase the security in WordPress through htaccess. It seems to take it to me to an extreme level but you think that it can be necessary you do not doubt in doing it.

If before we have modified the permissions of wp-config.php, now we are going to more still restrict it. You can modify it as they indicate to you in stackoverflow or to do something that probably you did not know without htaccess: to raise to the file wp-config.php a directory. Yes, WordPress looks for in the directory superior immediately, you test!

Also you can restrict the access to certain IPs if it is what you prefer, in that case you will only have to add a line of code so that it is thus (replacing the IP):

Order Allow, Deny Allow from 127.0.0.1 Deny from all

For the case of wp-login.php he is the same. And, finally, you can through cPanel or the same htaccess restrict the access to complete directories as /wp-admin, but that I leave you you investigate it 😉

It eliminates unnecessary information

We are finishing and I want to end something easy. In your main directory probably still you have the readme.html file, is not that it is reason to at the top take the hands but is information that you put in tray, as the version that you are using. That yes, that can also be known of other ways¦ but it is to put it difficult, no? Then b³rralo.

And if still you are generating it puts them of that I spoke you in the article on the essential adjustments also eliminates them.

Beam backup copies once in a while

For it they exist plugins that already I recommended to you, although I prefer to do it manually. If beams backups of the data base assures to you that the archives *.sql are not accessible for anybody, you do not want that they have all the information of your users although it is encriptada!

Hosting specialized in WordPress chooses good

Although you do not create it exist suppliers of hosting that worry about the security of their clients. It can sound rare if you come from WanAnWan, but there are them take care of to which they give them to eat. A few as Hostgator, Webempresa, Hosteurope could appoint you¦ but I am going to speak to you of which it is doing it very well lately.

Webempresa is a supplier specialized in this CMS and that offers a suitable range of hostings for each necessity. A look throws to him to its Web and you do not doubt in contacting with them because they will help you in which it is necessary, to migrate your blog or even to optimize it. And yes, I leave my link you of affiliate with which you will be inviting to me to a coffee if you use it 😉 In serious, could leave the link you to Hostgator, Raiola Networks or other that they pay the more, but then would not be a recommendation!

Good hosting will be the one that offers in addition to quality a good attention to you, with workers qualified and trained constantly. If they are specialized in WordPress far better, since constantly there are changes to which to adapt.

Twitter as safety measure uses

It follows some accounts in Twitter, in addition to the official, with whom you will be abreast of the risks which you can be faced. There is nothing no better than to prevent the evils¦ sometimes to procrastinar it can be disastrous. I propose to you that you follow to me and promise to warn to you of everything what 😉 finds out

* * *

In the end I have extended more of the account and still I have left at least five points in the inkpot. Next I will make another article to increase the security in login. I again invite to you to subscribe to you not to lose to you what is about to come 😉 At the moment yet what I have to you counted you must to entertain to more than one with bad intentions!

I hope that it serves to you and you decide to implement two or three sections at least. But either you obsessions, the subject of the security cannot get to be sickly and it is not to arrive until certain ends. You would have added something more? It leaves to a commentary giving me your opinion!

It lets a commentary

To subscribe to me!

No, thanks.