Secure your WordPress

Securing your WordPress installation

Now that we have a functional WordPress installation, it may be a good time to look at some security-related settings. This is fairly basic in terms of implementation but it should provide security benefits. If you are not entirely sure of what you are doing, I suggest implementing the changes one at a time, or implementing those changes that make sense to you. If something breaks as a result, you can always revert to an earlier step in your configuration when things were still working.

Disable the Theme and Plugin Editor

In wp-config.php let’s disable the Theme and Plugin Editor. If a malicious user gains access to your WordPress dashboard with administrative privileges, they could use this editor to add malicious code to your site. By setting DISALLOW_FILE_EDIT to true, you’re disabling this editor and removing one potential avenue of attack.

define( 'DISALLOW_FILE_EDIT', true );

Disable PHP Error Reporting

While we are editing wp-config.php let’s also disable PHP error reporting:


Suppressing error display can be useful in a production environment because displaying errors can reveal sensitive information about your server, file paths, database details, etc. to potential attackers.

WordPress has its own debugging system. You can use define(‘WP_DEBUG’, true); in wp-config.php to enable debugging mode in WordPress. When WP_DEBUG is set to true, WordPress will display all PHP errors, notices, and warnings. If you want to log those errors instead of displaying them, you can use define(‘WP_DEBUG_LOG’, true);.

You may need to restart Apache after changes to the wp-config.php file:

sudo apache2ctl restart

Protect your .htaccess file

The .htaccess file at the root of your web folder is useful in other cases, but it may be a good idea to ensure it is also protected. Add this to the .htaccess file at the woot of your web folder:

<Files .htaccess>
order allow,deny
deny from all

Block access to wp-config.php

Always a good precaution, add the following to the same .htaccess file as above:

<Files wp-config.php>
order allow,deny
deny from all

Block access to xmlrpc.php

Edit your .htaccess file and add the following:

<Files xmlrpc.php>
order allow,deny
deny from all

Restrict admin access by IP

This goes in the same .htaccess file:

<Files wp-login.php>
order deny,allow
deny from all
allow from YOUR_IP_ADDRESS

Restrict access to wp-admin folder by IP

This has the same purpose as above, perhaps overkill. You can create a new .htaccess file in the /wp-admin folder with the content below. In case you have multiple IP addresses to white list, add each on a separate line.

Order Deny,Allow
Deny from all
Allow from IP_ADDRESS_1
Allow from IP_ADDRESS_2

Disable PHP Execution in Specific Directories

For directories like /wp-content/uploads/ where you typically don’t need PHP execution, you can create a .htaccess file inside the directory with:

<Files *.php>
deny from all

Block username enumeration

It is relatively easy to get one’s admin user for WordPress. A URL such as the one below will normally show you information about the admin user of a specific installation:

To protect against this, add the following to your .htaccess file at the root of the web folder:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-json/wp/v2/users.*$ - [R=404]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule (.*) about [L,R=301,QSD]

You may also want to look at your WordPress templates to identify any places the author name appears and remove it manually by editing the appropriate template.

If you use any sitemaps, you may wish to disable the “author” sitemap.

Move wp-config.php out of the web folder

Whether this helps much, it is debatable, but presumably it would not hurt. You can rename your wp-config.php file and move it to a folder outside the web folder, i.e. /srv/www/outside/outside.php. Then, create a new file wp-config.php in the original location with this content (or equivalent) in it:


Ensure you limit access to the file with appropriate permissions. At this time, I have my doubts about the better choice but I suspect you can go with 640 or 440.

chmod 640 /srv/www/outside/outside.php
chmod 640 /srv/www/wordpress/wp-config.php

Enable 2FA for login

Consider looking around at various security plugins available for WordPress. Wordfence Security is an option. The free version provides various services, including 2FA for user authentication. You can also whitelist specific IP addresses to facilitate login.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share to...