Secure a WordPress site without using plugins — during your lunch break

Secure a WordPress site without using plugins

Keeping a WordPress site secure is paramount. Without using plugins—we’re going DIY—here are ways to secure a WordPress site during your lunch break.

The big, popular security plugins use many of these tactics and code, so why not implement them yourself? At least learn what they are.

If nothing else, one less plugin running in the background frees resources, leading to faster site load times.

Delete default admin user

WordPress powers roughly 30% of the websites on the Internet, and many of them still use the default usernames and settings. We want to lessen the account names used by bots or hackers to gain access to your site.

So, after the initial WordPress install:

  • Login to the admin account
  • Create a new user — for this example, let’s name it sparrow
  • Assign sparrow the Administrator role 
  • Log out of the admin account
  • Login to the new sparrow account and delete the default admin account. Make sure you choose the option to attribute all content — posts and pages — to the new sparrow account.
  • And you’re done. 

If you’re doing this long after you’ve had a WordPress site running, make sure you’re using any Administrator account and follow the steps above.

Change your WordPress table prefix

By default when you install and launch WordPress, the table prefix is wp_ which is well known and is easy to change. You’ll see it as a line in your wp-config.php file: $table_prefix = 'wp_'; 

I typically still use wp in the name, but i append it with two letters. I like being able to look at a table and see wp in it to know right away it’s for WordPress. Also, you don’t want to make the table name too long as there is a 64-character limit. And there’s no telling how many characters a plugin will use when creating their own tables with the prefix. For each site, i choose a different prefix, but usually it will look something like wpkr_ or two random letters like xi_ to keep the same default prefix length.

Make sure your web server is running at minimum PHP 7., but ideally 7.2+

Quickly check your site’s PHP version by going to Upgrade Your PHP. If you don’t have 7.1+, check with your web hosting provider regarding upgrading.

Ideally, you’ll have access to something like cPanel, which lets you easily find what PHP version you have and choose a newer version from there. 

If not that, maybe you’re running your own servers or your web host provided you with SSH access, which you then can do the command php -v to see what PHP version is running and upgrade if needed. 

Upgrading is beyond the scope of this article, since the upgrade process varies depending on the server. Comment below or send me an email if you need some help to get this updated.

Protect your wp-config.php file by denying direct access to it

The wp-config.php file is the most vital one for any WordPress installation. By default, it stores credentials for access to your database. 

Put the code below in the main .htaccess file — one inside the WordPress root directory.

# Protect wp-config.php from unauthorized access
<files wp-config.php>
order allow,deny
deny from all
</files>

Kill PHP Execution

This goes in an .htaccess file placed inside any directory you want to block .php files from running that shouldn’t allow it — e.g. the /wp-content/uploads directory.

# Kill PHP Execution
<Files ~ “.ph(?:p[345]?|t|tml)$”>
deny from all
</Files>

Protect .htaccess from unauthorized access

Being that the .htaccess file manages access to your files to the outside world; it’s imperative to shelter it from outside snoopers.

Funny enough, it goes in the main .htaccess file.

#Protect .htaccess from unauthorized access
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Block author scans

Prevents automated scans of the authors on your website.

Dormant but still active user accounts have an increased risk of having compromised passwords — look at the news for all the security breaches recently. 

This could lead to easy pickings for automated login with an account you’re not checking for. Finding out a site’s usernames is half the battle of getting into your WordPress back-end.

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

Prevent code injection
Don’t want some random scripts uploaded to your site wrecking havoc. Add this to the main .htaccess file.

# Prevent code injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Disable directory listing
You don’t want people to type in the url of a directory on your site — macariojames.com/blog/wp-content/uploads — and get a full listing of files. 

Add this single line to your main .htaccess file.

Options -Indexes

Further Reading

I recommend that everyone read the WordPress Codex’s take on Hardening WordPress since, well, ya know, it’s the official guide. 

I know there’s a lot to take in with this blog post, even though i didn’t want some exhaustive guide since there are plenty of others out there. But these things i pointed out above are fairly quick and easy to implement that will drastically cut down your being compromised by run-of-the-mill exploits ran by automated bots.

I hope this helped you. Drop me a line about these tactics or if you’d like to employ my services to further harden/secure your WordPress site and server. 

Sharing is caring — let your friends know about securing WordPress without a plugin. 

Cheers and peace.

If you found this post useful ...

Buy Me a Coffee logo
Wondering why you keep seeing lower-cased 'i' in my posts? Read -> Why ‘i’ is not capitalized

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of