WordPress is the most widely used content management system in the world. One third of the world's sites are developed on this platform.
This makes it a perfect prey for hacker e spammer.
Fortunately, security in WordPress is held in high regard, and developers have implemented all possible measures to prevent a site from being "laundry" by ill-intentioned people.
In spite of this, we can implement small steps to make our installation more secure. And without the use of plugins!
Update WordPress
Keeping our CMS up-to-date is the most important thing. WordPress is constantly updated with all patches to fix any security issues.
Most WordPress updates in fact consist of the following. bugfixes and security patches.
For the lazy ones it is worth mentioning that from version 3.7 WordPress can receive automatic updates. To activate this convenient option just go into the wp-config.php and add or modify the following line of code:
define( 'WP_AUTO_UPDATE_CORE', true );Delete unused themes and plugins
It may happen that you have installed a plugin or theme that then for one reason or another was no longer used. In fact, having unused plugins and themes in addition to increasing the space taken up on disk, can lead to an increased risk of exposing your site to attacks.
Limit installation of plugins to those you need and use regularly.
Delete user admin
By default many WordPress installations create the admin user. In the case of brute force there will be many attempts to log in using this account.
To improve security, the admin account should be deleted and replaced with a less obvious name.
Use effective passwords
Obvious but never trite, the advice to use a password that is difficult to guess is an evergreen.
Don't use the simplest password you remember, such as "mario83", but strive to use one that combines uppercase letters, lowercase letters, numbers, and special characters.
You could use one like "!lm10Gatt0s!CH1am4G1g1o". This is a passphrase and you could use a similar one using a phrase you can easily remember.
WordPress assigns a value for each password entered, try to use a level one strong.
File and folder permissions
Proper installation of WordPress also requires taking into account the permissions of files and folders. For optimal configuration all folders should be 755 and the files 644, the wp-config.php should be set with permissions 400.
| Files/Folders | Permissions |
| wp-content | 755 |
| wp-admin | 755 |
| wp-includes | 644 |
| All .php files | 644 |
| wp-config.php (public_html folder) | 400 |
| index.php (public_html folder) | 644 |
Use WordPress keys
Make sure that in your file wp-config.php WordPress keys have been created. These global variables are used to improve the protection system by encrypting the cookies that reside on the browser.
They are generated during installation on almost every hosting, but in case they are not present in your wp-config.php, you can create them by going to https://api.wordpress.org/secret-key/1.1/.
define('AUTH_KEY', 'Mi@A%m`3adaTJ@#sL+{nq-WhrOwyCH|I(3k>NEoT=2+-.Fs^B*8*K|[jJ_GlQ~q[');
define('SECURE_AUTH_KEY', 'ag-?YfLW!<gYt~EtGRWD3?jp@h#8fW&cVb50FSL=6?)$ps?N8t*&]2U5jvZ4{wnQ');
define('LOGGED_IN_KEY', '++@dhNqKK8uv9OUM|-u^i>/sZt.2]-X(^n>i/+;vf!Fw;Dl(,<v.H>kV1+D-h:C7');
define('NONCE_KEY', 'WSR]KMRL%6<y|#0.] =r^W4PPse].T<g#S00It^O!BX%BBq0:XAYOg#g33[ZWlT<');Make a backup of the database
Backup is a critical thing. It may seem obvious, but many people underestimate the importance of having a backup in case the site is compromised.
By now, all hosting offers automatic backups, the periodic cadence of which you can set to your liking, so you can always be sure not to lose the work you have done.
English 
Italian 
Spanish
Leave a Reply