How to Secure and Optimize WordPress | AltusHost

Our Blog

How to Secure and Optimize WordPress?

Altus Host

As one of the most popular CMS today, WordPress is usually the first in line when it comes to finding security vulnerabilities. Why? Well, what happens is that many people usually just create a website and once it’s up, they rarely or never maintain it. That causes many glitches in WordPress themes and plugins, but also our system admins to have daily headaches 😉 Even though our web hosting has several advanced malware & exploit scanner that works in real-time, sometimes there are so many omissions that there’s no more help to it and such website goes down or worse – continues running with all those hidden malicious scripts that redirects its users to various ads and spam messages that are being sent on your or someone else’s behalf. Not cool, right?

We know you don’t want this to happen to your site, so here are 7 steps to secure and optimize your WordPress for the best possible experience. 

1. wp-config.php is the key 🔑

You’ve probably seen this file before which, in addition to database connection data, it can also contain some additional parameters, such as: 

WP_DEBUG – turn it on when you have a problem with your website and you can’t detect the bug, otherwise, it should always be under the off option

WP_POST_REVISIONS – does not save more than XX revisions and we think 10 is the perfect number. This way, your database size is reduced and there are no unnecessary post and pages’ edits.

EMPTY_TRASH_DAYS – used to delete pages or posts that are in the trash. We recommend that the period should not be less than 10-20 days. 

WP_ALLOW_REPAIR – useful if the hosting server experiences a problem, a sudden reboot, or a similar hardware or software error. That’s when the chance that some of the active tables crashed is over 20% and you need a REPAIR or database recovery. This command will automatically run REPAIR tables as soon as visitors arrive.   

WP_MEMORY_LIMIT – virtual memory limit that is WordPress uses and here is the recommendation that it is set to at least 512M. 

WP_CRON_LOCK_TIMEOUT – it is useful to increase it to 480 seconds so that it does not restart with every new visit. What you can also do is turn it off completely, but we don’t recommend this. 

But, what is a cron? To put it in simple words, a cron is a job, some sort of a trigger. So, each visitor serves as a trigger to WordPress which has a task list that needs to be done, from article posting, various types of updates, comments, etc. 

define(‘WP_DEBUG’, false);
define(‘WP_POST_REVISIONS’, 10);
define(‘EMPTY_TRASH_DAYS’, 20 );
define(‘WP_ALLOW_REPAIR’, true);
define(‘WP_MEMORY_LIMIT’, ‘512M’);
define(‘WP_CRON_LOCK_TIMEOUT’, 480 );

WP cron starts with every new visit and if you want to turn it off completely, which, by the way, we do not recommend (the better option is to time-limit it), you can use the command below. 

define(‘DISABLE_WP_CRON’, ‘true’);

Would you like to disable theme and plugin updates and prevent unauthorized users from doing the same? Then use the following commands. 

define( ‘DISALLOW_FILE_MODS’, true );
define( ‘DISALLOW_FILE_EDIT’, true );

If you use a CDN such as MaxCDN or JetPack, it is recommended to define the cookie, as this increases the website’s speed. 

define( ‘COOKIE_DOMAIN’, ‘domainname.com’ );

If you’re a writer, you know the autosave function can come in handy, but please know that using it too often can represent an additional burden to the site, so we recommend to increase the autosave time to 180 seconds. 

define(‘AUTOSAVE_INTERVAL’, 180);

If you use open/public WiFi networks, make sure to use HTTPS connection when accessing the WordPress Admin panel. We strongly recommend not doing any WordPress setups if it’s not configured to HTTPS or you don’t have an SSL on your site).

This is the command to access the WP Admin panel so that it’s encrypted:

define( ‘FORCE_SSL_ADMIN’, true );

2. Don’t’ forget about .htaccess

If you use Apache or LiteSpeed server as your primary one, you likely have the .htaccess file. This file is hidden, but you can find it through FTP/SSH, as it’s more visible than other files due to the fact it has the period prefix (.htaccess).

It is recommended that you deny public access to xmlrpc.php and wp-config.php files for security reasons. 

<Files “xmlrpc.php”>
Order Deny,Allow
Deny from all
</Files>
<Files “wp-config.php”>
Order Deny,Allow
Deny from all
</Files>

The .htaccess file must also contain the following part, even though it’s probably already there. If not, please know that it’s necessary because otherwise the mod_rewrite will not work and you will encounter errors on the site in the form of not found pages (and nobody likes to see those pages, right?)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Also, mod_deflate, mod_mime, mod_setenvif commands are often used to enable caching. 

It is super important that you turn on file indexing to prevent bots from running around your site folders – all results will be redirected to the website itself.

Options All -Indexes

Comments on WordPress are generated by spam and there can be a lot of them every day. If you believe they are necessary, make sure to use Akismet plugin or CAPTCHA protection. If not, make sure to completely block it through .htacess:

ErrorDocument 503 “Comments forbidden”
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^60.173 [OR]
RewriteCond %{REMOTE_ADDR} ^218.10
RewriteCond %{REQUEST_URI} ^/wp-comments-post.php$
RewriteRule .* – [R=503,L]

In case you want to redirect WordPress traffic to HTTPS (even if the page is not set up like it) use this:  

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

3. Permissions

You can change file permissions on WordPress through File Manager in cPanel, FTP or SSH. As the most sensitive file on the entire system is wp-config.php, make sure to set permissions 0400 and 400 to it (r——–). When setting up like this, only the server owner can read and modify the tile.

Wp-content, wp-includes, wp-admin folder permissions should be 0755, and on other PHP files, it should be 0644.

4. PHP Versions

Our hosting platform allows you PHP changes, starting from 5.3 to the latest 7.3. It’s extremely important to use an up-to-date PHP version because the older version (PHP 5.4, 5.5, and 5.6) will not only not deliver the full potential of WordPress, but will also lead to potential security glitches. You don’t have to use the latest version as it is often incompatible with certain themes and plugins within the first few months of its release, but use a supported current version such as 7.2 or less popular 7.1 (July 2019).

5. Change Default wp-admin Access

First and foremost – prevent third parties from accessing the wp-admin page. This is important for many reasons because even if someone knows your password, they will not know the URL you are using to access the WordPress admin panel. Otherwise, hundreds of bot scripts will attack your site multiple times per day, so why let something like this happen, if you can have it solved in a couple of minutes? 
Simply go to the admin panel, select Plugin then Add new and find the Rename wp-login.php plugin or any similar plugin.

6. Updating

Take some time to choose the plugins you need, because of them represent a certain security risk. Only get plugins that are less than one year old, or use the simple rule, if the plugin hasn’t been updated for more than one year, consider finding an alternative one.

Although the “update” option sometimes messes up, you should update your plugins and themes at least 3 times a year, as attackers often enter through vulnerable themes. Our advice is to completely remove themes you don’t use or set 0000 permissions to their folders. The same goes for plugins. 

7. reCAPTCHA and contact forms

It is advisable to place some type of security checks on pages that require user interaction, such as contact forms or forms, to prevent the accumulation of mass spam messages passing through your site or hosting. The most common CAPTCHA consists of an image with distorted letters, with possible color differences, colorful background, or with the presence of other elements that make it impossible for software to solve the test. 

Almost all known plugins have integration with reCAPTCHA, all you need to do is download the API by accessing from your google account at this link

We think this is enough for today. Until next time… 😉

Recent Articles

Tags