WordPress Site Security

Site security for your website is a serious matter, with tens of thousands of sites being compromised every single month. IVSEO will look at 3 dozen different items that can make your site more vulnerable to hacking, hijacking and injection attacks and tell you how to patch them. Or if you prefer, we can perform the patches for you. Here are the items we examine, as a minimum:

  1. Ensure WP core, theme and plugins are up-to-date.
  2. Are you running a child theme to make your theme configuration less obvious?
  3. Move or remove any themes or plugins not in use.
  4. Verify all plugins are compatible with most current WP version.
  5. Ensure “admin” user is not present, as well as ID 1 user with admin privileges.
  6. Ensure DB table prefix is unique and DB password is strong.
  7. Refresh security keys and salts.
  8. Ensure WP installation address is not the same as site address.
  9. Relocate wp-config.php.
  10. Ensure updated versions of PHP and MySQL are in use.
  11. Ensure WP version info is not revealed in pages’ meta data.
  12. Ensure readme.html file is not accessible via HTTP.
  13. Ensure server response headers do not reveal PHP version.
  14. Ensure expose_php directive is not enabled
  15. Ensure unnecessary info is not revealed on a failed login attempt.
  16. Is “anyone can register” option necessary? If not, disable.
  17. Turn off general debug and JavaScript debug modes.
  18. Ensure the display_errors PHP directive is disabled.
  19. Ensure wp-config.php file has appropriate chmod set.
  20. Ensure the install.php and upgrade.php files aren’t accessible via HTTP
  21. Ensure the register_globals PHP directive is disabled.
  22. Is the plugins/themes file editor enabled? If not necessary, disable.
  23. Ensure the uploads folder is not browsable.
  24. Ensure PHP safe mode is not used to handle shared server security issues.
  25. Ensure the allow_url_include PHP directive is disabled.
  26. Is the EditURI link present in pages’ header data? If not necessary, disable.
  27. Is the Windows Live Writer link present in the pages’ header data? If not necessary, disable.

There may be a few other things present on some WP sites, that we’ll look at, where applicable. It generally only takes us 2-4 hours to perform this audit, and perhaps another few hours to perform the patches, if you decide to have us do that for you. If you’ve already suffered an attack, it’s imperative that you patch all the points by which attackers were able to breach your security. If you haven’t yet been attacked, congratulations – just realize that without hardening your site, it’s only a matter of time before some wandering bot discovers it and does its dirty work.

Contact us and we’ll get back to you promptly to give you a cost proposal. This is a very affordable service, well worth the moderate cost.