WordPress security depends on strict plugin and theme governance, hardened wp-config.php, and controlled admin and auth surfaces.
¶ 1) Protect secrets and administrative access
- Set 8 authentication keys/salts in wp-config.php (generate at https://api.wordpress.org/secret-key/1.1/salt/)
- Set
DISALLOW_FILE_EDIT=true to disable file editor
- Use strong database credentials
- Protect wp-admin and wp-login.php with rate limiting and MFA
- Change default table prefix from
wp_ during installation
- Move wp-config.php one directory above webroot (optional)
¶ 2) Control extensions and update cadence
- Patch WordPress core, plugins, and themes quickly after security releases
- Remove inactive plugins and themes
- Remove known vulnerable components
- Only install plugins/themes from official repository or trusted sources
- Enable automatic security updates
¶ 3) Harden runtime and deployment perimeter
- Block PHP execution in uploads directory
- Enforce least privileges for file ownership
- Set correct file permissions:
- Directories: 755
- Files: 644
- wp-config.php: 400 or 440
- Enforce HTTPS and secure cookie handling
- Disable XML-RPC if not needed
# Set directory permissions
find /var/www/html/wordpress -type d -exec chmod 755 {} \;
# Set file permissions
find /var/www/html/wordpress -type f -exec chmod 644 {} \;
# Secure wp-config.php
chmod 400 /var/www/html/wordpress/wp-config.php
# Set ownership
sudo chown -R www-data:www-data /var/www/html/wordpress
Add to your web server configuration to block PHP execution in wp-content/uploads:
Apache (.htaccess):
<Files "*.php">
Deny from all
</Files>
Nginx:
location ~* /wp-content/uploads/.*\.php$ {
deny all;
}
- WordPress hardening handbook: https://wordpress.org/documentation/article/hardening-wordpress/
- WordPress security docs: https://developer.wordpress.org/advanced-administration/security/
- WordPress security checklist: https://developer.wordpress.org/advanced-administration/security/