In this post, I’m going through a list of security measures to make your WordPress invincible from outside attacks.
As is usual with our checklists, some items are linked to relevant posts disclosing further details about setting them up.
Let’s go 🙂
Chapter I. Implement security through obscurity
While this doesn’t make your WordPress truly secure, security through obscurity is a practice you should use in your toolset.
Lessening the exposure of using WordPress and breaking intruders’ expectations, by itself, often makes them unwilling to go further in locating potential exploits.
Completely hiding the fact of using WordPress is definitely not possible, as it exposes a lot of its “signatures” through well-known URLs and HTML elements.
We can make it look less than a typical WordPress installation by changing standard paths like wp-content
.
This will trick most bots to believe they are not dealing with WordPress.
Then they usually leave your website alone without scanning further.
1. Change URLs for plugins and content directories
define( "WP_CONTENT_URL", "/c");
define( "WP_PLUGIN_URL", "/p" );
This saves some bytes in the HTML because we use absolute URLs without domains. It also safeguards against the majority of bots, which scan /wp-content/
and do not attempt to detect alternative paths.
So a better security, and reduced CPU load from those bots.
2. Hide Server
header and software information disclosed via HTTP headers
You do want to hide the information about your web server.
Chapter II. Securing WordPress
1. Secure NGINX configuration
A perfectly secure NGINX configuration for WordPress allows the execution of only whitelisted PHP endpoints.
In this way, it prevents the execution of user-uploaded PHP files.
2. Auto-block bots in firewall
The NGINX honeypot approach allows you to block bots immediately and permanently in your server firewall.