Start learning with our library of video tutorials taught by experts. Get started
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
In this screencast we go through the different parts of a WordPress installation and look at how to clean things up, which files and plug-ins are safe to remove from the server, where to look, and so on. Running a tight ship is a key part of good security, and removing unused files and plug-ins eliminates potential attack vectors and helps keep your site clean and organized. There are three main areas where we want to clean things up: files and folders, unused or outdated plug-ins, and unused or outdated themes. The first place to check is the Plugins page.
Here in the WordPress Admin, click on the Plugins link to go there. We want to take a good look through our installed plug-ins and see if there are any that we don't need, are no longer supported, or have become obsolete. For example, here is the ubiquitous Hello Dolly plug-in, which is fun but not needed, so we could remove it to keep things clean and focused. To do so, we would simply click on the Delete button, or we could do it manually from the server.
We also want to check our installed themes and see if there is anything that doesn't need to be there. It's okay to keep inactive themes, such as these three. It doesn't hurt anything to do so, but whenever possible go ahead and eliminate anything that you don't need. For example, the Skulls theme was used for a demonstration in a previous screencast, and it is no longer needed. So to keep things clean and tidy, we would go ahead and click the Delete button to remove it as well.
After cleaning up the Admin area of unused plug-ins and themes, we take a look at the core files by visiting our FTP/file editor. Here is a view of the root directory of our WordPress installation where we see several files that are included with WordPress but not needed. These files may be safely removed. The wp-config-sample.php file is not needed after installing WordPress, readme.html contains the WordPress version number and should be deleted, and of course there's license.txt--it's your call.
I usually delete it. In addition to these files, check for any non-WordPress directories, files, scripts, images, and so forth, that are not needed. As you go through your files, you may want to archive any removed content. For each of my sites I like to keep an offline folder where I keep notes, unused code, and development files. That keeps the junk off the server but still available if needed. In this screencast, we've cleaned up our plug-ins, themes, and core files for better organization and easier-to-manage site security.
Of course good housekeeping is an important part of any comprehensive WordPress security strategy.
There are currently no FAQs about WordPress 3: Developing Secure Sites.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.