Skip to content

Instantly share code, notes, and snippets.

@Wiz-Amit

Wiz-Amit/wp-security-checklist.md

Last active December 12, 2023 22:26
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save Wiz-Amit/d24c93c98a2ed3f6dc5ac7c91e52e1ec to your computer and use it in GitHub Desktop.
Save Wiz-Amit/d24c93c98a2ed3f6dc5ac7c91e52e1ec to your computer and use it in GitHub Desktop.
Download ZIP
WordPress Security Checklist
Raw
wp-security-checklist.md

Wordpress Security Checklist

Recommended

  • Ensure that all connections (wp-admin, cpanel) are running on HTTPS
  • Use strong password. e.g. n*S*Vx7az$k'ubA) (Check strength)
  • Use secure hosting platform. e.g. Bluehost, Siteground
  • Always update to latest version of PHP
  • Check if the plugin is vulnerable before installing it
  • Always update to latest version of all plugins
  • Use auto backup tool. e.g. (UpdraftPlus)
  • Add security plugins: Sucuri, Wordfence, JetPack
  • Do not use username admin
  • Limit access to vulnerable directories and sensitive files. e.g. /wp-content/uploads/
Show code

File: .htaccess

# Disallow code execution
<Files *.php>
deny from all
</Files>
  • Limit login attempts (how to)
  • Disable directory browsing
Show code

File: .htaccess

# Add at the end of file
Options -Indexes

Optional

  • Disable Theme and Plugin Editors
Show code

File: wp-config.php

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Show code

File: .htaccess

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Other resources

Site scanners

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment