One of the most confusion areas for newbies to secure is file permissions and ownership. For each file there is an owner and a group. So each file has permissions set for the owner, the group, and all (everyone else). There are four permissions possible with numerical values:
- read 4
- write 2
- execute 1
- no permission 0
Permissions are cumulative for each: owner, group, all. The final permission number is composed of three digits, corresponding to each of these. So a permission of 640 means owner=6, group=4, and all=0. The owner is allowed to read and write to the write. The group can only read the file, while everyone else is prohibited from doing anything at all with the file. Permission of 755 allows the user to read, write, and even execute the file. The group can read and execute the file, as can everyone else. You can begin to see how important file permissions are to security.
Your root directory where WordPress is installed should be locked down. Only the user should be able to write to it. Other directories that should have the same 644 strict limitations are:
When it comes to the /wp-content directory, though, 755 is the most permissive you should get. Wp-config.php should be assigned 600 for complete security.
Your wp-admin section is so important that you should take advantage of any additional methods for securing it against intrusions. You might try to password protect it through cPannel in the Security section. That means you will also need to do a tiny bit of Apache work in order to keep the Ajax working on the front end of the admin. Add the following to the .htaccess file in /wp-admin
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
In your main WordPress .htaccess file you should add this line to prevent 404 errors or too many redirects from occurring:
ErrorDocument 401 default
WordPress Security Keys for Cookies
Encrypted security keys are important for keeping the information WordPress stores in cookies secure. You can find the place to put these in your wp-config.php file. They are as follows:
You can generate keys at WordPress' official site https://api.wordpress.org/secret-key/1.1/salt/. Copy and paste what you get after refreshing your browser, into your wp-config.php file.
Plugins and Themes
Plugins and themes are doors through which hackers might gain access to your site. What is so terrible about them is that the code used in them is not regulated in any way by any official team, as WordPress Core is. So be certain you are installing only plugins and themes from reputable sources. Also, delete any plugins and themes that you are not using. This reduces the code sitting on your WordPress server, through which hackers might find weaknesses. It also reduces your efforts in finding out what went wrong if a hacker does get lucky and breaks in.
Wp-config.php can be moved to the parent directory of where it lives. This can go some way to diverting browser-based attacks.
Lock Out Failed Logins
When someone tries to log in and fails many times, it is most likely a brute force attack underway. It is best to set up a simple plugin that manages this by locking this user out. If they are a legitimate user, they can retrieve a chance to get back in through an email recovery option. WordFence is a good plugin by which to manage this and many other security issues. You can also rely on the simple Limit Login Attempts plugin.