Making your wordpress blog more secure

You find the individual steps easily in a web search. Most critical is the change of SQL table prefixes. I did it manually using phpMyAdmin. When finished, no link was working any longer. Reason: permalinks were set to %postname%. After switching first to default and then back to %postname% everything was fine.

I also struggled with the password protection. Inportant: add the line ErrorDocument 401 default, otherwise you might always get the “page not found” message.

Steps to do:

  • Move config.php file one directory above wordpress installation directory
  • Remove admin user
    (create new user with full rights and delete old user)
  • Protect wp-admin and wp-includes directories
    (read for owner and group only = 751)
  • Hide wordpress version and login error messages
    Add in functions.php (in your ChildTheme directory):
    <?php remove_action(‘wp_head’, ‘wp_generator’);
    add_filter(‘login_errors’,create_function(‘$a’,”return null;”)); ?>
  • Delete readme.html file from web root directory
  • Password protect wp-admin directory (I used CPanel to create .htaccess).
    Modify .htaccess file in wp-admin – add:
    ErrorDocument 401 default
  • Modify .htaccess file in web root:
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
  • SQL: change prefixes of database tables from
    “wp_”  to “new_prefix_”
Rate this post
;