WordPress Security Checklist
Basic Checklist :
1. Rename user Admin to something else.
2. Change the ID
field on the first user from
1 to
something else.
3. Enforce strong password
requirements for all system users
4. Don‟t let anybody but admins see available WP updates.
5. Remove the ability for non-admins to modify theme files.
6. Tweak
the database so tables aren‟t prefixed with wp_.
7. Don‟t use the MySQL root user to access the database.
8. Limit the MySQL account used to the site database only.
9. Restrict the MySQL account so it can‟t perform destructive actions (i.e. DROP,
etc.)
10. Give the MySQL account a very long, randomised password.
11. Don‟t allow the server‟s root user access via SSH. Use an account with SUDO
privileges instead.
12. Ensure all the secret key fields in wp-config.php are completed with 16-bit SHA
keys.
13. Disallow indexes
on
all site folders.
14. Hide the admin area.
15. Rename the wp-content directory to something else.
16. Block bad hosts and agents with blacklists.
17. Make any .htaccess files
and wp-config.php non-writeable.
18. Make the admin area inaccessible outside of work hours (handle this one with
care)
19. Schedule regular
database backups.
20. Restrict the length
of
allowed URLs to 255 characters or less.
21. Require SSL connections on the admin area (if possible; this one has an on-cost attached)
22. If possible, install and run server-side antivirus
software
such
as ClamAV.
23. Consider restricting the server‟s FTP service to only accept connections from
certain, whitelisted IP addresses (only applicable if you have at least one static IP).
24. When deploy complete, consider stopping the server‟s FTP service completely.
You can always
temporarily switch it on again if required.
25. If your web server is allowing proxying (for example, if you‟re load-balancing),
ensure it‟s not configured as an open HTTP proxy.
26. Remove any open SMTP proxies on your server.
