Search Our Database

Introduction

This article provides a step-by-step guide to help administrators check and secure WordPress installations. It covers the methods to assess WordPress security for single or multiple installations, outlines key security improvements, and highlights important considerations when applying these changes. The guide is intended for WordPress administrators managing installations through Plesk or similar control panels. By following this guide, you will enhance the security of your WordPress environment. It is recommended to apply these steps after every WordPress installation or major update to ensure a secure setup.

Prerequisite

Ensure you have administrative access to Plesk and have a backup of your WordPress installation before proceeding with security checks and improvements.

Step-by-Step Guide

Step 1: Access the WordPress management panel

1. Navigate to Websites & Domains > WordPress.

Step 2: Choose the security check method

1. To check the security of all WordPress installations, click Check Security.
2. To secure a single WordPress installation, click the icon in the S column next to the desired installation.
3. To secure multiple installations, select the checkboxes next to the installations, then click Check Security.

Step 3: Select security improvements

1. Review the security improvements and select the checkboxes next to those you want to apply.
2. Click Secure to apply the selected security enhancements.

WordPress security improvements

• The wp-content folder: This folder may contain insecure PHP files that can damage your site. The security check ensures that PHP execution in the wp-content directory is disabled. Custom .htaccess or web.config directives might override this security measure, and some plugins may stop working after securing this folder.
• The wp-includes folder: Similar to wp-content, PHP files in wp-includes can be executed after WordPress installation. The security check ensures PHP file execution is disabled here as well. Be aware that some plugins may malfunction after this step.
• The configuration file (wp-config.php): This file contains sensitive credentials for database access. The security check verifies that unauthorized access to the wp-config.php file is blocked. If PHP file processing is turned off, hackers may gain access. Custom directives in .htaccess or web.config files might override this protection.
• Directory browsing permissions: Directory browsing is disabled by default in Plesk. If enabled, hackers can discover details about your site, such as plugins in use. The security check ensures directory browsing is turned off.
• Database prefix: WordPress databases commonly use the wp_ prefix, making them easier targets for attacks. The security check modifies the database prefix to something non-standard, deactivates plugins, updates the database, and reactivates plugins to apply this change.
• Security keys: WordPress uses keys to encrypt user session data. The security check ensures these keys are configured properly and contain complex, random values.
• Permissions for files and directories: The security check ensures that the wp-config.php file has permissions set to 600, other files to 644, and directories to 755.
• Administrator’s username: The default administrative username is admin. If this username is still in use, it presents a security risk. The security check ensures no administrator account is named admin.
• Version information: WordPress versions are associated with known vulnerabilities. The security check hides the WordPress version from metadata and empties readme.html files to prevent exposing this information.

Conclusion

By following this guide, you can improve the security of your WordPress installations and reduce potential vulnerabilities. Regularly checking and applying security improvements is essential to maintaining a safe WordPress environment.

For additional assistance or if you encounter any issues, please contact our support team at support@ipserverone.com.