1)WP prefix for DB tables should be something other than “wp_” and should be a strong prefix like a password, preferably alphanumeric characters.
It is a good practice to change the prefix at the time of installation.
We can change the prefix anytime after the installation as well by:
a) changing the prefix value in wp-config.php file and
b) renaming all the tables present in the database with that prefix and
c) we need to change the values for certain columns present in ‘wp_options’ table and in ‘wp_usermeta table’ :
i) in ‘wp_options’ table under the column ‘option_name’ we need to change any references starting with ‘wp_’ (or whatever the old and weak prefix was) needs to be updated by the new prefix.
ii) in ‘wp_usermeta’ under the column ‘meta_key’ any references starting with ‘wp_’ (or whatever the old/weak prefix was) needs to be updated by the new prefix.
SPECIAL CARE HAS TO BE TAKEN WHILE UPDATING wp_options & wp_usermeta tables, ANY NEGLIGENCE CAN CAUSE BREAKING OF THE ENTIRE SITE.
2) Disabling display of login errors for admin logins –
Generally hackers extract a lot of information even with the error messages. Its a good practise to disable them.
The procedure to implement it is:
CREATE A WP HOOK :: place the following code in the functions.php file
* hide_anything :: This method returns blank, useful in security through obscurity.
REMOVING THE RED NOTIFICATION BAR ::
In the file : wp-login.php (present in root of WP installation)
find the line:
and replace ‘login_error’ with ‘login_error_old’
This will remove the red notification block, for all the users (both admin and normal users).
3) WordPress versions should not be displayed on the websites, this will ensure that even if your are using old wordpress versions it’ll be not known to hackers.
Hackers generally use loopholes in previous/out dated versions to get an entry into your site.
THE PROCEDURE ::
add the following hook in functions.php present in your theme :
we have already defined hide_anything() method in step #2
This will prevent WP version from getting displayed both on site as well as in Feeds.
4) wp-admin directory should be password protected from server side by using htaccess.
5) Generally all the files & folder permissions sholud be 644 & 755 respectively (may vary for a few files, which needs to be determined).
6) Always use updated WP versions and also update plugins periodically. Dont use beta Plugins, they might act as a gateway for hackers.
7) Use forced ssl for logins.
THE PROCEDURE ::
in wp-config.php file , search for
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
just above these lines add the following::
This will enable ssl for logins.
(SSL should be enabled for the site as well)
8) wp-config.php file can be moved to a directory above the WordPress install directory. This means for a site installed in the root of a webspace, wp-config.php can be stored outside the web-root folder.
755 is what the permission should be otherwise it wont work.
Keeping the wp-config.php above the web-root folder ensures that it is inaccessible from the web and all the DB credentials and other data present in it is safe from illegal access. wp-load.php checks for wp-config.php in current directory i.e. the WP install directory, if it is not found there then it checks for it one level above it and tries to load it from there, so it should be present ideally at one of the two locations.
9) Another good practise is not to use admin/administrator or similar words as username. Using some other words instead, preferably alphanumeric words, will be an added advantage towards improving WP security.
If admin has admin/administrator or any other similar words as username then a new user can be created with admin privileges and using that account the previous admin account can be deleted.
10) Regularly take backups of your WP site.