So you just installed WordPress? Here are my Top 10 Basic WordPress Security Tips for Free. Because I am cheap. And so are you. These tips mostly apply if you installed WordPress on your own, and have permissions to modify files on your host.

Requirements:

• PHP 5.3+
• Apache 2.2+

 

Top 10 Basic WordPress Security Tips Really Free

First Rule: Install the Latest Version

Always use the latest version of any CMS your may come to use. Latest version as of December 2017 is 4.9.1

Download WordPress Latest

 

Second Rule: Install WordPress in a sub-directory

Why on earth would you unpack WordPress at the root of your host drive? One day you will add more stuff, more directories etc, and everything will be messed up. Keep things neat and create a sub-directory to unzip WordPress in.

Then configure your domain provider to point to this directory.

 

Third Rule: Setup Strong Admin Access rights

• Use another login than admin or dba for your database
• Use a strong password for your MySQL database
• Use another login than admin for WordPress
• Use a strong password for your admin user

What is a strong password?

After competing for the NCL Fall Season 2017 hacking challenge and cracked many password hashes, I learned one crucial thing about passwords: only the size matter. Don’t listen to roukers and beat yourself with complex, L33t stupid passwords. Anything lower than 16 characters is crack-able easily with a good GPU once you put your hands on a database dump.

A strong password is actually 16 characters or more. That’s it.

 

Fourth Rule: Install Essential Plugin Jetpack

Bring the power of the WordPress.com cloud to your self-hosted WordPress. Jetpack enables you to connect your blog to a WordPress.com account to use the powerful features normally only available to WordPress.com users.

It also provides a basic Malicious Login Attempt blocker.

 

Fifth Rule: Install Essential Plugin Code Snippets

An easy, clean and simple way to add code snippets to your site. No need to edit to your theme’s functions.php file again!

You will need this to secure your login page.

 

Sixth Rule: Install Akismet Anti-Spam

Used by millions, Akismet is quite possibly the best way in the world to protect your blog from spam. Your site is fully configured and being protected, even while you sleep. Akismet blocks 99.9% of spam from reaching your blog.

 

Seventh Rule: Install A Firewall

Your choice among:

• Wordfence Security Wordfence Security is 100% free – They indeed include premium features.
• All In One WP Security Seems to offer the same options as Wordfence.

Firewalls monitor suspect activities and limit login attempts. Wordfence is more spread but I feel like AIO WP Security offers a lot more options.

 

Eighth Rule: Disable Login Hints

Add this code Snippet to replace the  Login Error – Username does not exist and any other messages from popping up on your login page. Use a custom message.

function no_wordpress_errors(){
  return 'Go fuck yourself!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

 

Ninth Rule: Security With .htaccess Files

Certainly the most important but it’s better to do it once everything is installed and working fine.

1. Verify your WordPress Main .htaccess
   File: /yourWordpressSubDir/.htaccess
   
   Some plugins add their own rules on top of the file, and I consider this a bug. The WordPress rules must come first. Always. Make sure the file contains these lines at the very beginning:

   # BEGIN WordPress
   <IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   RewriteRule ^index\.php$ - [L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]
   </IfModule>
   # END WordPress

2. Secure Your wp-admin Directory
   File: /yourWordpressSubDir/wp-admin/.htaccess
   
   ONLY if you do not plan to have users login to your site. Thus, deny the access to wp-login.php entirely!
   Enable .htaccess directory protection for /yourWordpressSubDir within your hosting provider: this adds another login/password layer.
   You can also block any IP from accessing the login page, and white-listing your own:

   # Begin password protection #
   AuthName "Super Security"
   AuthUserFile "/full/path/for/your/hosting/yourWordpressSubDir/wp-admin/.htpasswd"
   AuthType basic
   Require valid-user
   # End password protection #
   
   # IP blockade
   <LIMIT GET>
   order deny,allow
   deny from all
   # whitelist my IP addresses
   allow from 000.000.000.000 <- here your home IP address
   allow from 000.000.000.000 <- here another   IP address..
   </LIMIT>
   # End IP blockade

Bonus Rule: Free Geoblock via .htaccess

The root .htaccess can certainly be used as a geoblock firewall. Wordfence provides this but… Country Blocking is only available to Premium Members. Indeed. 100% Free they said. This is an obvious violation of WordPress plugin guidelines.

Bellow is a free geoblock solution for Apache via .htaccess:

1. Get a list of IP ranges to block the countries you want to ban from accessing your site at ip2location.com
2. Paste them in your root .htaccess file
3. Enjoy

You don’t need to block half the planet, just choose wisely which countries you hate the most. Muahhahaha

 

Security is YOUR business. As a wannabe webmaster, it is YOUR responsibility to keep your data safe.