Security measures for WordPress

Critical security measures

The following security measures are considered critical for WordPress security and are applied automatically by WordPress Toolkit for any newly deployed WordPress instance. Detected, imported, or remote instances that do not have these measures applied are marked with the DANGER label.

• Configure security keys. WordPress uses security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY) to ensure better encryption of the information stored in the user's cookies. A good security key should be long (60 characters or longer), random, and complex. The security check should verify that the security keys are set up and that they contain both alphabetic and numeric characters.
• Change default database table prefix. WordPress database tables have the same standard names on all WordPress installations. When the standard wp_ prefix is used for the database table names, the entire WordPress database structure is transparent, making it easy for malicious scripts to obtain data from it. This security measure changes the database table name prefix to something different than the default wp_ prefix.
• Change default administrator's username. During the installation, WordPress creates a user with administrative privileges and the username admin. Since usernames in WordPress cannot be changed, it is possible to try bruteforcing the password of this user to access WordPress as the administrator. This security measure creates a WordPress administrator account with a randomized username, and ensures that there is no user with the administrative privileges and admin username. If the admin user is found, all content belonging to this user is reassigned to the new administrator account, and the admin user account is removed.
• Restrict access to files and directories. If access permissions for files and directories are not secure enough, these files can be accessed by hackers and used to compromise your website. This security measure sets the permissions for the wp-config.php file to 600 (read-write only for the owner), for other files to 644 (read-write for the owner, read-only for everyone else), and for directories to 755 (read-write for the owner, read-only for everyone else).
• Block directory browsing (can be reverted). If directory browsing is turned on in the web server settings, hackers can obtain various information about your website that can potentially compromise its security. By default, directory browsing is turned off in Plesk, but when it is turned on, this security measure can block it. This measure modifies the server configuration file (Apache, nginx for Linux, or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.
• Block unauthorized access to wp-config.php (can be reverted). The wp-config.php file contains sensitive information like database access credentials, security keys, and so on. If, for some reason, processing of PHP files by the web server is turned off, hackers can access the content of the wp-config.php file. This security measure prevents unauthorized access to the wp-config.php file. This measure modifies the server configuration file (Apache, nginx for Linux, or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.
• Disable PHP execution in cache directories (can be reverted). If a compromised PHP file ends up in one of the cache directories of your website, executing it can compromise the entire website. This security measure disables execution of PHP files in cache directories, preventing such exploits from happening.
  
  Note that some plugins or themes might ignore security recommendations from the WordPress Security Team and store valid PHP executables in their cache directory. You might have to disable this security measure if you need to make such plugins or themes work.
  
• Block access to sensitive files (can be reverted). This security measure prevents public access to certain files that can contain sensitive information, such as connection credentials or various information that can be used to determine which known exploits are applicable to your WordPress website.

Recommended security measures

The security measures below are recommended, but are not considered critical for website security and are therefore not applied by default.

• Forbid execution of PHP scripts in the wp-includes directory (can be reverted). The ./wp-includes/ directory may contain insecure PHP files that can be executed to take over and exploit your website. This security measure prevents the execution of PHP files in the wp-includes directory. This measure modifies the server configuration file (Apache, nginx for Linux, or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.
• Forbid execution of PHP scripts in the wp-content/uploads directory (can be reverted). The ./wp-content/uploads/ directory may contain insecure PHP files that can be executed to take over and exploit your website. This security measure prevents the execution of PHP files in the ./wp-content/uploads/ directory. This measure modifies the server configuration file (Apache, nginx for Linux or web.config for Windows). Note that custom directives in the .htaccess or web.config files might override this.
• Block access to potentially sensitive files (can be reverted). This security measure prevents public access to certain files (for example, log files, shell scripts, and other executables) that might exist on your WordPress website. Public access to these files could potentially compromise the security of your WordPress website.
• Block access to .htaccess and .htpasswd (can be reverted). Gaining access to the .htaccess and .htpasswd files allows attackers to subject your website to a variety of exploits and security breaches. This security measure modifies web server configuration to ensure that .htaccess and .htpasswd files cannot be accessed by abusers.
• Disable scripts concatenation for WordPress admin panel (can be reverted). This security measure turns off concatenation of scripts running in the WordPress Administrator panel, preventing your website from being affected by certain Denial-of-Service (DoS) attacks. Turning off concatenation of scripts might slightly affect the performance of the WordPress Administrator panel, but it should not affect your WordPress website from a visitor's point of view.
• Turn off pingbacks (can be reverted). Pingbacks allow other WordPress websites to automatically leave comments under your posts when these websites link to these posts. Pingbacks can be used to launch Distributed Denial-of-Service (DDoS) attacks on your website. This security measure turns off XML-RPC pingbacks for your entire website and also disables pingbacks for previously created posts with pingbacks enabled.
• Enable hotlink protection (can be reverted). Hotlink protection prevents other websites from displaying, linking, or embedding your images. This practice is called hotlinking, and it can quickly drain your bandwidth and make your website unavailable.
• Enable bot protection (can be reverted). This measure protects your website from useless, malicious, or otherwise harmful bots. It blocks bots that scan your website for vulnerabilities and overload your website with unwanted requests, causing resource overuse. Note that you might want to temporarily disable this measure if you're planning to use an online service to scan your website for vulnerabilities, since these services might also use such bots.
• Block author scans (can be reverted). Author scans are a form of user ID phishing. The goal of these scans is to find usernames of registered users (especially WordPress admin) and brute-force attack the login page of your website to gain access. This security measure prevents such scans from learning these usernames.
  
  Note that depending on the permalink configuration on your website, this measure might prevent visitors from accessing pages that list all articles written by a particular author.
  
  
• Disable file editing in WordPress Dashboard (can be reverted). Disabling file editing in WordPress removes the ability to directly edit the plugin and theme file sources (i.e., their PHP files) in the WordPress interface. This measure adds an additional layer of protection for the WordPress website in case one of the WordPress admin accounts is compromised. In particular, it prevents compromised accounts from easily adding malicious executable code to plugins or themes.
• Disable unused scripting languages. This security measure turns off support for scripting languages not used by WordPress, such as Python and Perl. Turning them off ensures that your website cannot be compromised by exploiting vulnerabilities in these scripting languages.