Join Jeff Starr for an in-depth discussion in this video Audit your WordPress site, part of WordPress: Developing Secure Sites .
- [Narrator] In this video, we're going to do sort of a live security audit on our demo site. This walkthrough will hit the most important points, and provide a good overview that should help bring together a lot of what we've been talking about in this course. Let's start in the Admin area. Now, some of these setting are optional, depending on what you're doing with your site. But, I want to bring them to your attention, just to be safe. First, in the General Settings, check the option anyone can register. Make sure this is unchecked, unless you want to allow open registration.
Then, in the Discussion Settings, scroll down to the section that says before a comment appears. There are two useful settings here for controlling comments. These are definitely something to be aware of. Here in the Reading Settings, we want to make sure that search engine visibility is unchecked. Leaving this unchecked allows Google and other search engines to access your site. Next up, on the Plugins screen, make sure that all of your plugins are current, active, and properly configured.
Then, for your Users, make sure that the username is not admin. And also, make sure that the display name is not the same as the username. Another quick tip for your users, you should try to keep the number of admins to a minimum. Here we have two administrators, which is fine for this demo site. Lastly, on the Themes page, make sure to remove any unused themes. And also, make sure your themes are up to date and current with the latest version.
As a reminder, most of the techniques we are checking in this video are covered in previous tutorials in the course. Now, let's move on to the file side of WordPress. We begin with the WordPress configuration file. And we want to check that we've added our secret keys, and that we've customized the database prefix, and that we've disabled error display, and that we've disabled file editing.
So, everything looks good in the configuration file. Now, let's check our theme for a couple of added functions. For this demo site, we are using the 2016 theme, and we scroll to the bottom of the functions.php file. And we find our two functions that remove the version number, and block proxy visits. So, that all looks good. Now, let's check our site's various .htaccess files.
Here in the root .htaccess file, we see that everything is in place. Disable directory views, stop hotlinking, secure loose files. We're blocking spam, we're blocking bad bots, and proxy visits. And we've added a strong firewall. So, all is good. Now, for the .htaccess file that's located in the WordPress root directory. Here in the WordPress installation directory, we take a look at the .htaccess file, and we see the code that we've added to protect the configuration file and secure the login page.
And there's one more .htaccess file to go, here in the wp-admin directory, where we are protecting the installation page, and the wp-admin files. So, that's all ready to go. At this point, we have verified that our files are locked and loaded. Just a couple more things to check, back in the WordPress Admin area. First, we want to double check that our file permissions are set properly. So, we visit Tools, File Checker, and click Run File Check to scan our files.
And scrolling through, we can examine the results, and check for proper file permissions. And we can also check other directories and so forth. By the way, you can learn more about this plugin, File Permissions & Size Checker, in my previous video on Checking Proper File Permissions. Last, but not least, let's do a quick check to make sure WordPress and all plugins and themes are up to date. So, we head on over to the WordPress Upgrades screen, and click the Check Again button.
And no updates are shown, so we are running the latest and greatest. At this point, everything is looking good, but remember, there is no such thing as perfect security. Securing your site happens in layers, with each new technique further protecting your assets. Of course, it's always possible to add more layers of security, and this video demonstrates the key things to look for in a well-secured WordPress site.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security