Some Tips for Basic Secure Your WordPress

You can easily found many people talk about WordPress security on internet, start with how choose recommended hosting, do some secure technique on your server and use some security plugins, the goal is prevent your site for being hack. In this article, I try to share what I know about basic secure your WordPress site, yup with this simply tips, I hope this can prevent your site basically.

And Some Tips for Basic Secure Your WordPress are:

1. Change your admin id rather than one (1), and also don't use admin as user-id for site administrator, you can do this by create a new user with admin privilege and delete the old one.

2. Use table_prefix rather than wp_

3. Replace your salt key inside wp-config.php with a new one from this link : https://api.wordpress.org/secret-key/1.1/salt/

4.  Create robots.txt file inside your document root, and copy this code below:

User-agent: *
Disallow: /cgi-bin/
Disallow: /wp-
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: /xmlrpc.php
Disallow: /trackback/
Disallow: /feed/

Sitemap: Your Sitemap URL here.

5. Grant your database user with limited privileges, example:

grant select,insert,update,delete,create,drop  \
on db_name.* to 'dbuser'@'localhost' identified by 'password';

6. Use security plugin like Better WP Security, All in One WP Security & Firewall, Acunetix Secure WordPress, BulletProof Security  or other security plugin which your choose, this all plugin will create .htaccess file to secure your WordPress and do some file permission modification and also monitoring file change and 404 traffic.

7. Change WordPress Site URL, to do this, you can visit this link : http://codex.wordpress.org/Changing_The_Site_URL

8. Change all file and directory permission owner to local user, and left wp-content directory and sitemap file for apache user or www-data user, this step is optional, because I did it for my dedicated Linux server, you cannot do this on share hosting.

9. And important tips is always update to the latest WordPress core version and also always backup your latest document root and database.

I think that's it some tips for basic secure your WordPress from me, for you who need more advanced technique and more complete tips for getting WordPress secure, below is good resources to read:

http://codex.wordpress.org/Hardening_WordPress
http://wordpress.org/support/topic/website-repeatedly-hacked

Oh..., for last options you can make secure php using suhosin, some hosting providers use it, or add some configuration on php.ini, modify disable_functions section, see below code:

disable_functions = chgrp, show_source, phpinfo, exec, popen, pclose, php_eval,
safe_dir, root, ftok, posix_access, egy_perl, symlink, set_time_limit, ini_restore, shell_exec, passthru,
ini_alter, openlog, syslog, readlink, link, leak, escapeshellcmd, proc_close, proc_get_status, proc_nice,
proc_open, proc_terminate, pcntl_exec, wscript, apache_child_terminate, apache_setenv, define_syslog_variables,
escapeshellarg, escapeshellcmd, exec, fp, highlight_file, ini_get_all, inject_code, mysql_pconnect, php_uname,
phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, posix_getpwuid, posix_kill,
posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status,
proc_terminate, system, xmlrpc_entity_decode, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put,
ftp_raw, ftp_rawlist, dl, curl_exec, curl_init

You can adjust above disable_functions according what your needs.

Thanks and Regards,