LIT3

Wordpress

Make sure you keep Wordpress and it's plugins updated. Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. , if you you do not want to deal with this there is always the option to outsource this task.

If you run many sites there are free and low cost Multi-site Wordpress management options to make keeping things as updated as possible.

4 Plugins to help make Wordpress a little more secure
*All plugins below can be found on youtube should you not be sure how to set them of etc.

Plugin 1- all in one security
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Plugin 2- Hide My - Hides common url paths
https://wordpress.org/plugins/hide-my-wp/

Plugin 3 – Duplicator - Simple Wordpress backup and migration plugin
https://wordpress.org/plugins/duplicator/
or
Akeeba Backup
https://www.akeebabackup.com/products/akeeba-backup-wordpress.html

Plugin 4 - Really simple SSL - uses cloudflare's free SSL and adds a layer of added protection for DDOS and DNS
https://really-simple-ssl.com/knowledge-base/ssl-cloudflare-really-simple-ssl/

WordPress Permissions Settings
755 – All folders
644 – All files
444 – wp-config.php and index.php

More advanced Permissions settings
755 – All folders
644 – All files
644 - wp-includes (all folders in this folder - some plugins may not like this)
444 – wp-config.php and index.php

Additional Password Layer
Use server side user/pass to lock down the admin login folder with an added layer.
{your-domain}/wp-admin/
If you are not sure how to do this your hosting company should be able to easily add this for you.

Lock down access to your Wordpress install and scripts

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

# Block the include-only files.

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

</IfModule>

# BEGIN WordPress

Note that this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.