This rule is generated by WordPress if it has write access to your server, most notably to fix issues with pretty permalinks.
If it isn’t at the top of your file, place at the top of your .htaccess file. Any other rules should go after the # BEGIN WordPress and # END WordPress statements.
4.2 – WordPress Security Application Configurations
Move WP-Config outside the root folder
The wp-config.php file is a very important configuration file containing sensitive information about your WordPress site, including database connections.
If the wp-config.php file does not exist in the root folder, WordPress will automatically look for this file in the folder above the root directory. Moving this file out of the root folder prevents wp-config.php from being accessible from the Internet.
Setup Salts & Keys
The wp-config file includes a section dedicated to authentication salts and keys. These salts and keys improve the security of cookies and passwords that are in transit between your browser and the web server.
You can set up your keys by including or editing these lines after the other define statements in your wp-config.php file:
define(‘AUTH_KEY’, ‘include salt here’);
define(‘SECURE_AUTH_KEY’, ‘include salt here’);
define(‘LOGGED_IN_KEY’, ‘include salt here’);
define(‘NONCE_KEY’, ‘include salt here’);
You can easily generate your salts by navigating to the wordpress.org salt generator or using the reset salts + keys option in our WordPress Plugin.
Disable File Editing
By default, file changes can be made through Appearance > Editor from the WordPress dashboard.
You can increase your WordPress security by disabling file editing from the dashboard. This prevents an attacker from changing your files through the backend or wp-admin. You will still be able to make changes via SFTP/SSH.
To disable file editing from the dashboard, include the following two lines of code at the end of your wp-config.php file:
## Disable Editing in Dashboard
Virtual hardening is part of a defense-in-depth strategy that protects your web server and database from vulnerability exploitation. Virtual hardening is the act of adding multiple layers of protection to a website to reduce the attack surface.
If a security patch is released but you are unable to update your site, it becomes an easy target for hackers. One effective way to mitigate this risk is to employ a virtual patching service on your website.
Virtual patching can be accomplished through the use of a Web Application Firewall, where vulnerabilities are patched automatically to protect against known security threats.
5. WordPress Security Services
Protect WordPress with a Web Application Firewall (WAF)
One of the easiest ways to protect your WordPress website from hackers is to employ the use of a Web Application Firewall (WAF) like the Sucuri Firewall.
Website firewalls work to identify, filter, and block malicious traffic from reaching your site. All HTTP/HTTPS traffic is inspected. If a malicious bot or hacker tool attempts an attack, the website firewall blocks it automatically to protect your WordPress website before it even reaches your server.
There are a number of professional services that take care of your website security needs for you. Not all services are the same – some charge more to fix complex hacks, and others provide different tiered feature sets. You should choose the one that best fits your needs.
If your host provides security services, take some time to research exactly what features they include. They’re normally happy to advise you on ways you can complement their baseline feature sets with additional services.
The benefit to employing a cloud-based security service like Sucuri is that it provides complete end-to-end website security. This means protection, detection, and response services are included with an all-in-one platform and no hidden fees.
Our high availability Globally Distributed Anycast Network (GDAN) ensures that websites can efficiently service their global audiences while mitigating DDoS attacks.
SSL has become increasingly important to WordPress security in the past couple of years, not only for securely transmitting information to and from your website, but also to increase visibility and lower the chances of being penalized.
SSL allows a website to be accessed over HTTPS, which encrypts the data sent between visitors and web servers. Since 2014, SSL has been a ranking signal for SEO and Google has now started to flag non-HTTPS websites that transmit password and credit card data.
We’ve put together a free guide on how to implement SSL on your website and a tutorial on how to move your WordPress site to https. If you need assistance, you can reach out to us and learn how we can help you activate SSL/HTTPS via our cloud-based WAF.
7. WordPress Security FAQs
How do I increase WordPress security?
WordPress website owners can increase their security by practicing strong password security and access control. You should keep all software and third-party components up to date with the latest security patches to prevent vulnerabilities, and employ proactive WordPress security principles for an effective defense strategy.
We also encourage website owners to prevent attacks and protect their WordPress websites from hackers with a web application firewall (WAF) that automatically blocks website attacks and hacks.
What WordPress plugins should I use?
The Sucuri Security WordPress plugin offers a variety of helpful security features, including activity auditing, file integrity monitoring, remote malware scanning, and blacklist monitoring to identify and protect your website from threats.
Other useful plugins include backup, auditing, and utility plugins which address a variety of security functions.
How can I protect my WordPress site from malware?
One of the easiest ways to protect your WordPress website from hackers is to employ the use of a WordPress firewall (WAF), which can block malicious traffic from ever reaching your server.
How do I remove malware from my WordPress site?
We’ve put together a helpful guide on how to clean a WordPress hack to help website owners walk through the process of identifying and cleaning up malware from a compromised website. This guide also includes post-hack instructions to help you protect your site from future infections.
If you need assistance, our security analysts are here to help. We remove malware from thousands of WordPress websites every week.
How do I secure my WordPress site with HTTPS?
SSL certificates do not protect your website, but they help defend data in transit between the host (web server or firewall) and the client (web browser). SSL works as a barrier to prevent data visibility or modification by intruders.
To install an SSL certificate on a WordPress website, you’ll need to either purchase one from a certificate authority, such as GoDaddy, or use a free certificate from Let’s Encrypt.
WordPress website and encrypt its data with HTTPS.
Sucuri offers free SSL on the firewall to ensure that visitors reach your website via HTTPS by default.