πŸ›‘How to harden your WordPress?

Hi there! Let’s see how you can protect one of the WordPress protection steps.

Remove all unused themes

If you have unused themes with your WordPress installation, remove them. You don’t need them.

cd /path/to/your/wordpress/wp-content/themes
rm -r theme_folder/

You can also remove all unused plugin.

Update folder preferences

Update folder preferences so all new files will have folder’s guid

sudo find /path/to/wordpress -type d -exec chmod g+s {} \;

Change folders owner to user other than www-data. So the webserver can’t write to the files.

sudo chown -R <your-user>:www-data /path/to/wordpress

Next, you need to allow the webserver to write to some folders, for example when we updating the site or uploading new media to the site. Allow writing permission to the www-data group

sudo chmod g+w /path/to/wordpress/wp-content \
&& sudo chmod -R g+w /path/to/wordpress/wp-content/themes \
&& sudo chmod -R g+w /path/to/wordpress/wp-content/plugins

If you have folder permission like that you will need to run the following command to “unlock” folders before the upgrade

# before upgrade
sudo chown -R www-data /path/to/wordpress

and after the upgrade lock down the folders.

sudo chown -R may /path/to/wordpress

Change Secret keys

You can get your new keys via WordPress api with following command

curl -s https://api.wordpress.org/secret-key/1.1/salt/

I am not sure how about standard installation but if you using WordPress docker container, your keys will be generated with first run of container.

Disable files writing for WordPress

Add following text to your wp_config.php file

define( 'DISALLOW_FILE_EDIT', true );

That’s all for now. Do not forget to backup your website files and database.

Stay safe!