Checklist to Improve Your WordPress Security
Security is a delicate item. It does not care who you are, if it sees that you are trying to do something strange it will lock you out. This can be troublesome on sites with existing errors, particularly missing assets such as images and others.
We mention some crucial point which must need to be consider while you’re working on WordPress security:
- A user with id 1 still exists or not?
- Is your website not protected against bots looking for known vulnerabilities? Consider turning on 404 protection.
- Is your WordPress Dashboard available for 24/7? Do you really update 24 hours a day? Consider using Away Mode.
- Is your login area is partially protected from brute force attacks? Our Team recommend you use both network & local blocking for full wordpress security.
- Is your website not looking for changed files? Consider turning on website file change detections.
- Is your WordPress site Dashboard using the default addresses? This can make a brute force attack much easier.
- Are you not protecting common WordPress files from access?
- Is your WordPress site not blocking suspicious looking information in the URL?
- Is your WordPress installation allowing users without a user agent to post comments?
- Is XML-RPC available on your WordPress installation? Attackers can use this feature to attack your site.
- Is users can execute PHP from the uploads folder?
- Is your site not performing any scheduled database backups?
- Are you not blocking any users that are known to be a problem for your website? Consider turning on the Ban Users feature.
- Is your WordPress Salts have not been changed? You should change them now.
- Are you not requiring a secure connection for accessing the dashboard?
- Are you enforcing strong passwords, but not for all users?
- Have you not disabled the directory browsing on your site?
- Are you not blocking HTTP request methods that you do not need? You need to block extra HTTP request methods that WordPress Website should not normally need.
- Is your WordPress site not blocking non-english characters in the URL?
- Is there your installation accepts long (over 255 character) URLS? This can lead to vulnerabilities.
- Is there your wp-config.php & .htaccess files are writeable? This can lead to vulnerabilities
- Is your WordPress installation publishing the Really Simple Discovery (RSD) header.
- Is users can edit plugin & themes files directly from within the WordPress Dashboard?
So these are some questions more than important point you need to consider while working on WordPress Security. We hope this will help someway other way.
Comments & queries are appreciated !!!
2 Comments
Nicol
Very small & important point. Really very well observation. Thanks for sharing.
Mark J
Important point collection. Everyone must need to consider this while developing WordPress website.