Best practices for maintaining a secure WordPress site at IU

If you are running a WordPress installation at Indiana University, the following guidelines can help you substantially improve the security of your site, especially if you are setting up a fresh installation:

  • Keep your WordPress installation and plug-ins updated: It is critical to apply all core, plug-in, and theme updates issued by WordPress. Many of them include important security improvements. You'll see a message at the top of your Dashboard whenever a new update is available. If you seldom log into your WordPress administrator account, consider installing the WP Updates Notifier plug-in, which monitors your installation for updates, and emails you when they are available. For more, see Updating WordPress.
  • Perform backups of your database: MySQL for Sitehost maintains automatic backups for service-wide data recovery purposes only. You should make manual backups before performing any system maintenance or database work. For more, see About the MySQL for Sitehost data backup and restoration policy.
  • Be careful when assigning a database administrator to your WordPress site: Having a WordPress account with "root" permissions on your databases is a security risk. Only MySQL users with reduced privileges granted should be allowed to connect to your database from your WordPress site.
  • Request frequent vulnerability scans from UISO: The University Information Security Office (UISO) provides a Web Application Vulnerability Scanner to help you discover any vulnerabilities affecting your site. How often you request scans depends on several factors, such as site traffic and the sensitivity of your data. For more, see About vulnerability scanners.
  • Give people only the Capabilities they need: WordPress has multiple Roles, each with its own set of Capabilities. To keep people from making unwanted changes to your site's content and settings, you should be careful to assign Roles that grant only the Capabilities people need to do their jobs. Before assigning Roles, see Roles and Capabilities.
  • Use your administrator account only when you need to perform administrative tasks: When you create a new WordPress site, an Administrator account with all Capabilities is automatically generated. Using this account to perform common, non-administrative tasks leaves you vulnerable to security risks and exploits. Practice the principle of least privilege by creating and using an alternate account with a Role, such as Editor, that has fewer Capabilities. Consequently, if a hacker ever cracks your account, that person won't be able to do much damage, because the Editor Role cannot edit any settings. For more, see Roles and Capabilities in the WordPress Codex.
  • Move your configuration settings file: The configuration settings file (wp-config.php) contains the information WordPress needs to access your database; it is stored by default in your site's root directory. Moving this file up one level from its default location helps prevent hackers from finding and accessing it. You can move this file up one directory from the root level, and WordPress will still be able to find it.
  • Change the WordPress table prefix: By default, WordPress adds the wp_ prefix to all of your database table names when you set up your site. Changing this prefix makes it difficult to guess your database table names, and consequently can help stop a hacker from damaging your site with an SQL injection attack. To change the table prefix during setup, in your wp_config.php file, below the database information, change the $table_prefix variable. For example:
    $table_prefix= 'iub_'; // Only numbers, letters, and underscores please!
  • Use secret keys: Setting up secret keys will greatly enhance the security of your site by adding random elements to passwords, making them much stronger and nearly impossible to guess. To set up secret keys, go to the WordPress secret key generator, copy the resulting four lines of text, and then paste it into your wp-config.php file, below the database information. Implementing these on your site will invalidate all current WordPress cookies, so anyone logged into your site will need to log in again afterward.
  • Lock down your Dashboard: You can use an .htaccess file to create an "allowlist" that specifies which IP addresses are allowed to access your Administration Dashboard. Use the following code to create the .htaccess file, and then save it to your site's root directory (replace with a trusted IP address):
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    order deny,allow
    deny from all
    #IP address to allowlist
    allow from

    You can add multiple allow from lines to accommodate additional trusted IP addresses.

Following these recommendations should substantially improve the security of your WordPress site. Additionally, you should make sure your users know they should not share their usernames and passwords. Also, encourage your users to change their passwords frequently.

For more about securing your WordPress site, see Hardening WordPress on the WordPress Codex. For more about computer security in general, see Tips for staying safe online.

Some of these tips were derived from Top 5 WordPress Security Tips You Most Likely Don't Follow.

This is document bdbb in the Knowledge Base.
Last modified on 2024-06-06 14:19:40.