Security tips for WordPress

WordPress is much used and vulnerable CMS targetted by hackers from all over the world. There are some basic thing you can do to make WordPress safer.

Remove WordPress login errors description

function remove_wordpress__login_errors(){
  return 'Something is wrong!';
}
add_filter( 'login_errors', 'remove_wordpress__login_errors' );

Disable login by e-mail

Since e-mail addresses are predictable and much traded on the dark web. It is advised to remove login by e-mail so users can only login with a custom login name.

remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 );

Remove unused users

Use SSL https

USe SFTP

USE secure hosting

Add two factor authentication

Force strong passwords (source: https://www.webtipblog.com/force-password-complexity-requirements-wordpress/ )

// functions.php

add_action( 'user_profile_update_errors', 'validateProfileUpdate', 10, 3 );
add_filter( 'registration_errors', 'validateRegistration', 10, 3 );
add_action( 'validate_password_reset', 'validatePasswordReset', 10, 2 );



/**
 * validate profile update
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   WP_Error $errors
 * @param   boolean $update
 * @param   object $user raw user object not a WP_User
 */
public function validateProfileUpdate( WP_Error &$errors, $update, &$user ) {

	return validateComplexPassword( $errors );
}


/**
 * validate registration
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   WP_Error $errors
 * @param   string $sanitized_user_login
 * @param   string $user_email
 * @return  WP_Error
 */
function validateRegistration( WP_Error &$errors, $sanitized_user_login, $user_email ) {

	return validateComplexPassword( $errors );
}

/**
 * validate password reset
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   WP_Error $errors
 * @param   stdClass $userData
 * @return  WP_Error
 */
function validatePasswordReset( WP_Error &$errors, $userData ) {

	return validateComplexPassword( $errors );
}

/**
 * validate complex password
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   WP_Error $errors
 * @param   stdClass $userData
 * @return  WP_Error
 */
function validateComplexPassword( $errors ) {

	$password = ( isset( $_POST[ 'pass1' ] ) && trim( $_POST[ 'pass1' ] ) ) ? $_POST[ 'pass1' ] : null;

	// no password or already has password error
	if ( empty( $password ) || ( $errors->get_error_data( 'pass' ) ) )
		return $errors;

	// validate
	if ( ! isStrongPassword( $password ) )
		$errors->add( 'pass', '<strong>ERROR</strong>: Your password must contain at least 8 characters.' ); // your complex password error message

	return $errors;
}

/**
 * isStrongPassword
 *
 * @author  Joe Sexton <joe.@webtipblog.com>
 * @param   string $password
 * @return  boolean
 */
function isStrongPassword( $password ) {

	return strlen( $password ) >= 8; // your complex password algorithm
}

Remove inactive themes, files, plugins, scripts

Protect login page

<Files wp-login.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
</Files>

Protect wp-config.php

<Files wp-config.php>
	Order Allow,Deny
	Deny from all
</Files>

Disable file editing

define('DISALLOW_FILE_EDIT', true);

Stel je vraag

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *