Harden WordPress after Initial Setup for Security and Safety



Over the years, I have set up hundreds of WordPress installations. But every time I do that, I have to look around for guides and tips for making WordPress usable and secure. That takes up a lot of my time and repeating this step is always a pain in the butt.

wordpress-guide

This article is for documenting the things that I do after initial WordPress setup. I’m writing this to keep a tab on the things I do. In future when I set up a WordPress website; I’ll use this guide to quickly do the initial setup which would otherwise take hours to do by searching and messing with stuff.

Add a basic robots.txt

The robots.txt file should be present in the root directory of your WordPress installation. This file lets the search engines know what to and what not to index. Depending on what kind of content you have, you may want to modify this file. But, not having a robots.txt isn’t something that you should do. Here’s a basic version that I use for most sites that I set.

You can learn some best practices from Google’s Robots.txt Specifications.

Canonical robots.txt

By convention, the robots.txt should be in the root directory of your website. Most bots follow this convention. This isn’t however, a universal rule followed everyone. Some badly coded bots and scripts can scan your whole website to locate the robots.txt file. You can avoid this issue by telling every bot about your robots.txt location. Add the following code to the .htaccess file.

Canonical Sitemap.xml

Similar to how search engines are, you can also set up a canonical URL for the Sitemap.xml for your website. Add this code to your .htaccess file.

Enable Automatic updates for WordPress Core and Plugins

There is no point in worrying about security if you are running an outdated version of WordPress or plugins on your website. You can always try updating them manually, but that’s not always possible. You can automate this process by editing the wp-config.php and adding the following code to it.

You can add all three of these snippets to enable automatic updates for everything. Be warned, though. If some update breaks your site, you’ll have a hard time knowing which one did the deed.

Disable Server Signature

Whenever your server encounters an error, it reveals the full server signature to the user. You don’t want that to be visible to anyone for security. To disable that, add the following code to your .htaccess.

Stop People from Browsing your server directories

Some servers allow anyone to view the files present in them. This can cause a lot of issues with security because they can see what stuff you have there. To stop that, add the following line to your .htaccess file.

Disable external access to wp-config.php

No one except you should access the wp-config.php. This file stores your authentication keys. It also stores the salts for these keys, so if someone can access them, this can prove to be a massive security hole. Disable access to your wp-config.php file by adding the following directives to your .htaccess file.

Block access to readme.html

A lot of WordPress blogs don’t block access to their readme.html file. Though not a big issue, this can cause your WordPress version to be publicly available. You don’t want that.

Disable File Editing in the wp-admin Panel

If someone gets’s access to your wp-admin panel, they can mess around with your stuff. Most certainly with the code in your .htaccess and robots.txt files. Some plugins also allow you to edit some files without logging into your cPanel. You don’t want that. Add the following code snippet to the wp-config.php file to disable file editing.

Disable Logging of PHP Errors

You shouldn’t publicly display PHP errors on your website. Disable them by adding the following directive to your .htaccess file.

Enable GZIP Compression for your website components

The Internet is becoming fatter. That’s not okay. There’s no excuse when you can use GZIP on your site to compress web pages before they reach your readers. Small page size means decreased load times and better user experience. Add this to your .htaccess to enable GZIP compression.

Add Expires Header to your website’s static components

The static content on your website like CSS, JavaScript and images don’t change often. You can use this to your advantage in gaining speed. Adding Expires Header to static components speeds up things because your browser will cache them. This will result in fewer HTTP requests thus decreasing website loading time. This is essentially leveraging browser caching.

Don’t copy and paste this exact snippet to your .htaccess though. Adjust the values according to the kind of content you are serving. Use Expires Headers carefully.

Remove Query Strings

If you use a one-click WordPress installer, you’ll see that there is a .htaccess file already present in the directory of your installation. It will have some Directives already defined. To remove the query strings from your URLs, add the following code between the RewriteBase / and RewriteRule directives.

Redirect to HTTPS

If you want to use HTTPS on your website (you probably should), add the following lines in your .htaccess. Put them between the RewriteBase / and RewriteRule directives.

Disable HTML in the comments section

There is no need for people to put HTML in their comments unless your blog certainly caters to that audience type. For most people, disabling HTML will be the best option. Add the following code to the functions.php of your WordPress theme.

Adjust Auto-save intervals

By default, WordPress auto-saves your posts every minute to avoid loss of your data. If you think that’s too frequent or too slow, then you can adjust this value. Add the following code to your wp-config.php and adjust the number to your liking.

Stop WordPress from Guessing URLs

Add the following line of code to your theme’s functions.php.

Disable Login Hints

You don’t want your hacker buddies to get access to your blog by brute forcing their way in. When you enter a wrong username or password, or a combination of the two, WordPress tells you whether your username was wrong or the password. You should disable that. Add this code to the functions.php file.

Update WordPress Secret Keys

Your WordPress installation security keys are to prevent unauthorized access to your blog. You can update these keys to be more secure. Go to this page and copy the keys. Now, open the wp-config.php file from your WordPress installation and replace them one by one.

After doing that, all your session cookies will become expired. So, anyone logged into your website will be logged out.

Remove WordPress Version

It’s unnecessary and potentially a security risk to show your WordPress installation version to the whole world. You can disable the display of WordPress version from everywhere by adding the following code to the functions.php of your theme.

I guess this should be enough.

Leave a Reply

Your email address will not be published. Required fields are marked *