Now that you’ve learnt the basics of improving your WordPress security and backup, we’re going to show you how to harden your WordPress setup by following the tips below. Here’s WordPress Security 102.

Use SFTP Instead of FTP

It’s common to use FTP (File Transfer Protocol) to transfer files between your computer and website. However, we suggest that you use SFTP (Secure File Transfer Protocol) instead, which encrypts your password, commands, and data when files are transmitted.

Disable PHP Execution

When websites are hacked, malicious php scripts often target the wp-includes and uploads directories. By disabling PHP execution, you’ll be able to prevent damage by one of these scripts if a hack occurs and definitely improve your WordPress security. Just add these lines of code to the htaccess file and upload to the directory/s that you wish to protect:

#PROTECT [Directory Name]

Order Allow, Deny
Deny from all

Secure WP-Login.PHP Script

If you’ve been having problems with Brute Force Attacks, then there are two main options.

a) Password protecting wp-login.php. You can do this by creating a htpasswds file, or downloading one from the htpasswd generator, which conceals your password through an algorithm. Afterwards, follow the instructions clearly outlined by WordPress Codex here.

b) Limiting access to wp-admin. This means that if you have a fixed IP address and you’re the only person who needs to login to your administration area, then you can limit access solely to your IP. You can do this by adding the code below to your WP-config file (making sure that x.x.x.x is your IP address):

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
deny from all

Disable Editing Via WP Admin

If somebody does login to your WordPress admin, you can insert a few lines of code to prevent them from altering your plugins or themes. Just add the code below to your WP-config file — but make sure you do this after you’ve completed your editing, because the code will also affect you:

#Disable Plugin / Theme Editor
Define(‘DISALLOW_FILE_EDIT’,true);

And that should do the trick. You’ve finished WordPress Security 102. Let us know if you have any questions or concerns.