Best practices for maintaining a secure WordPress site at IU

If you are running a WordPress installation at Indiana University, the following guidelines can help you substantially improve the security of your site, especially if you are setting up a fresh installation:

• Keep your WordPress installation and plug-ins updated: It is critical to apply all core, plug-in, and theme updates issued by WordPress. Many of them include important security improvements. You'll see a message at the top of your Dashboard whenever a new update is available. If you seldom log into your WordPress administrator account, consider installing the WP Updates Notifier plug-in, which monitors your installation for updates, and emails you when they are available. For tips about the update process, see Updating WordPress in the WordPress Codex.
• Perform backups of your database: MySQL for Sitehost maintains automatic backups for service-wide data recovery purposes only. You should make manual backups before performing any system maintenance or database work. For more, see About the MySQL for Sitehost data backup and restoration policy.
• Be careful when assigning a database administrator to your WordPress site: Having a WordPress account with "root" permissions on your databases is a security risk. Only MySQL users with reduced privileges granted should be allowed to connect to your database from your WordPress site.
• Request frequent vulnerability scans from UISO: The University Information Security Office (UISO) provides a Web Application Vulnerability Scanner to help you discover any vulnerabilities affecting your site. How often you request scans depends on several factors, such as site traffic and the sensitivity of your data. For more, see Vulnerability Scanners.
• Give users only the Capabilities they need: WordPress has multiple user Roles, each with its own set of Capabilities. To keep user accounts from making unwanted changes to your site's content and settings, you should be careful to assign Roles that grant only the Capabilities users need to do their jobs. Before assigning Roles, see Roles and Capabilities.
• Use your administrator account only when you need to perform administrative tasks: When you create a new WordPress site, an Administrator account with all Capabilities is automatically generated. Using this account to perform common, non-administrative tasks leaves you vulnerable to security risks and exploits. Practice the principle of least privilege by creating and using an alternate account with a Role, such as Editor, that has fewer Capabilities. Consequently, if a hacker ever cracks your account, that person won't be able to do much damage, because the Editor Role does not allow the user to edit any settings. For more, see Roles and Capabilities in the WordPress Codex.
• Move your configuration settings file: The configuration settings file (wp-config.php) contains the information WordPress needs to access your database; it is stored by default in your site's root directory. Moving this file up one level from its default location helps prevent hackers from finding and accessing it. You can move this file up one directory from the root level, and WordPress will still be able to find it.
• Change the WordPress table prefix: By default, WordPress adds the wp_ prefix to all of your database table names when you set up your site. Changing this prefix makes it difficult to guess your database table names, and consequently can help stop a hacker from damaging your site with an SQL injection attack. To change the table prefix during setup, in your wp_config.php file, below the database information, change the $table_prefix variable. For example:

  $table_prefix= 'iub_'; // Only numbers, letters, and underscores please!

• Use secret keys: Setting up secret keys will greatly enhance the security of your site by adding random elements to passwords, making them much stronger and nearly impossible to guess. To set up secret keys, go to the WordPress secret key generator, copy the resulting four lines of text, and then paste it into your wp-config.php file, below the database information. Implementing these on your site will invalidate all current WordPress cookies, so any users on your site will need to log in again afterward.
• Lock down your Dashboard: You can use a .htaccess file to create an "allowlist" that specifies which IP addresses are allowed to access your Administration Dashboard. Use the following code to create the .htaccess file, and then save it to your site's root directory (replace xxx.xxx.xxx.xxx with a trusted IP address):

  AuthUserFile /dev/null
  AuthGroupFile /dev/null
  AuthName "Access Control"
  AuthType Basic
  order deny,allow
  deny from all
  #IP address to allowlist
  allow from xxx.xxx.xxx.xxx

  You can add multiple allow from lines to accommodate additional trusted IP addresses.

Following these recommendations should substantially improve the security of your WordPress site. Additionally, you should make sure your users know they should not share their usernames and passwords. Also, encourage your users to change their passwords frequently.

For more about securing your WordPress site, see Hardening WordPress on the WordPress Codex. For more about computer security in general, see Tips for staying safe online.