{"id":1135,"date":"2021-07-20T07:45:15","date_gmt":"2021-07-20T12:45:15","guid":{"rendered":"https:\/\/www.knownhost.com\/kb\/?p=1135"},"modified":"2026-03-23T06:37:35","modified_gmt":"2026-03-23T11:37:35","slug":"wordpress-security-tips","status":"publish","type":"post","link":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/","title":{"rendered":"WordPress Security Tips"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #212121;color:#212121\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #212121;color:#212121\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#keep_wordpress_updated\" >Keep WordPress Updated<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#strong_passwords\" >Strong Passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#choosing_plugins_for_wordpress\" >Choosing Plugins for WordPress<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#security_plugins\" >Security Plugins<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#disabling_unnecessary_files_access\" >Disabling Unnecessary Files &amp; Access<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#disabling_php_execution_from_wp-content\" >Disabling PHP Execution from wp-content<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#disabling_directory_index_listing\" >Disabling Directory Index Listing<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#disabling_theme_plugin_editing\" >Disabling Theme \/ Plugin Editing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#securing_themes\" >Securing Themes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#disable_login_errors\" >Disable Login Errors<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#replace_original_authentication_unique_keys_and_salts\" >Replace Original Authentication Unique Keys and Salts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#change_default_%e2%80%98wp_database_prefixes\" >Change Default &#8216;wp_&#8217; Database Prefixes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#ensure_secure_server_side_permissions\" >Ensure Secure Server Side Permissions<\/a><\/li><\/ul><\/nav><\/div>\n<div class=\"kb-shortcode kb-shortcode_tip\">\n                    <div class=\"kb-shortcode-icon\">\n                        <i class=\"fa fa-lightbulb-o fa-2x\"><\/i>\n                    <\/div>\n                    <div class=\"kb-shortcode-content_tip\">It is highly recommended to ensure your WordPress is backed up regularly, especially if making any core changes as advised in this article. For cPanel servers, you can learn more about the <a href=\"https:\/\/www.knownhost.com\/kb\/what-are-some-useful-tips-for-disk-space-management\/#backups\">configurable automatic backups here<\/a>.<\/div>\n                <\/div>\n\n\n\n<p>This article will cover many recommended methods to secure your WordPress installation. The latest version of WordPress can always been found on their official download page:&nbsp;<a href=\"https:\/\/wordpress.org\/download\/\">Download WordPress<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/wordpress.org\/latest.zip\">Latest WordPress Zip Archive<\/a>. WordPress has a much more extensive treatment of the topic in their&nbsp;<a href=\"https:\/\/codex.wordpress.org\/Hardening_WordPress\">documentation<\/a>. Here we go over some of the most basic measures you can take to help ensure the security of your site.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"keep_wordpress_updated\"><\/span>Keep WordPress Updated<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>One of the most vital and important issues is to ensure that your WordPress install is kept fully updated. Older versions of WordPress can be exploitable, leaving your website and sometimes servers vulnerable to attacks or malicious activity. Further, almost every updated version of WordPress specifically references security patches.<\/p>\n\n\n\n<p>We have an article available for upgrading WordPress available here:&nbsp;<strong><a href=\"https:\/\/www.knownhost.com\/kb\/how-can-i-upgrade-wordpress\/\">How can I upgrade WordPress?<\/a><\/strong>&nbsp;Since WordPress 3.7, automatic updates have been enabled by default and more information regarding these automatic updates can be found here:&nbsp;<a href=\"http:\/\/codex.wordpress.org\/Configuring_Automatic_Background_Updates\">Configured Automatic Updates<\/a>.<\/p>\n\n\n\n<p>Besides keeping the actual core WordPress install updated, keeping plugins and themes fully updated is just as important, if not even more important. In the WordPress Admin Panel, the plugins page and themes page will both advise if plugins or themes need to be updated. Check out the screenshots below for examples of plugins and themes that have updates available.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"500\" height=\"207\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates.png\" alt=\"\" class=\"wp-image-1136\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates.png 500w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates-300x124.png 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"500\" height=\"251\" src=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-theme-updates.png\" alt=\"\" class=\"wp-image-1137\" srcset=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-theme-updates.png 500w, https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-theme-updates-300x151.png 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"strong_passwords\"><\/span>Strong Passwords<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Always make sure to use strong passwords for any authenticated access. For example, your admin user (which shouldn&#8217;t be named admin, if it is&nbsp;<a href=\"https:\/\/codex.wordpress.org\/Hardening_WordPress#Security_through_obscurity\">change it<\/a>!) and your MySQL database passwords. You can see more about secure password generation in our&nbsp;<a href=\"https:\/\/www.knownhost.com\/kb\/how-can-i-generate-a-secure-random-password\/\">How can I generate &#8230; ?<\/a>&nbsp;article.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"choosing_plugins_for_wordpress\"><\/span>Choosing Plugins for WordPress<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>We all have our list of favorite plugins, however, we rarely check to see if those plugins have any added vulnerabilities,&nbsp;besides WordPress&#8217;s own vulnerabilities. However, oftentimes it&#8217;s the plugins and themes that can make it even less secure. If you find a plugin that you feel you need to install, make sure you research the plugin first, verifying that no exploits or vulnerabilities exist for it. Similarly, many themes have plugins builtin to them, so you will want to research these carefully as well. For example, a couple years ago there was a vulnerability in&nbsp;<a href=\"https:\/\/blog.sucuri.net\/2014\/12\/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html\">revslider<\/a>&nbsp;that was patched, but many themes had bundled it in and didn&#8217;t update it to apply the patch. So a lot of site administrators were vulnerable to the exploit and didn&#8217;t even realize they were running the plugin. So you will want to carefully research each plugin and theme you consider before installing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"security_plugins\"><\/span>Security Plugins<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Here&#8217;s a list of suggested Security Plugins that can help with your WordPress security:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/wordfence\/\">WordFence<\/a>\u00a0has several useful features, including checking the core files\u2013as well as the plugin and theme files\u2013for changes likely to indicate site compromise. It can also be configured to send you an email when either the WordPress core or any of the installed plugins or themes have updates available. It also can throttle certain types of traffic to reduce server load, and lock out IP addresses that pretend to be Google that aren&#8217;t. You can read more about this plugin on their<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/wordpress.org\/plugins\/wordfence\/\">page<\/a>&nbsp;in the WordPress plugin catalog. But, one thing that WordFence does&nbsp;<em>not<\/em>&nbsp;do, is&nbsp;<em>log<\/em>&nbsp;the failed logins in files where they can be read, for example by&nbsp;<strong><a href=\"https:\/\/www.knownhost.com\/kb\/tag\/csf\/\">CSF\/LFD<\/a><\/strong>. This brings us to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/wp-fail2ban\/\">WP-fail2ban<\/a>\u00a0is a plugin that causes login successes and failures to be written to server logs, so that firewalls like CSF\/LFD can be configured to read it. The plugin is\u00a0<em>designed<\/em>\u00a0to work with a firewall called Fail2Ban\u00a0which conflicts with CSF\/LFD, but CSF\/LFD can be configured to read the logs for the entries generated by this WordPress plugin.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disabling_unnecessary_files_access\"><\/span>Disabling Unnecessary Files &amp; Access<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The default WordPress installation retains numerous files in the installation path that can provide information to potential hackers. For example, the readme.html in the document root of the WordPress installation provides the installed version. The installed version may contain vulnerabilities, allowing the attacker to pinpoint an exploit point. You can check if your site has this problem as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  $ curl -s http:\/\/domain.tld\/readme.html | grep Version\n  Version 4.0.1<\/code><\/pre>\n\n\n\n<p>This is just one example. It is recommended to disable access to the following files:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All license* files.\u00a0<em>Including<\/em>\u00a0the ones provided in plugins and\/or themes.<\/li>\n\n\n\n<li>All readme* files.\u00a0<em>Including<\/em>\u00a0the ones provided in plugins and\/or themes.<\/li>\n\n\n\n<li>wp-config-sample.php<\/li>\n\n\n\n<li>xmlrpc.php<\/li>\n<\/ul>\n\n\n\n<p>You could remove all of these files, however, a simple way to simply remove permissions or access to these files would be to remove permissions on the file(s). For this example, we will be chmodding all of the referenced files to 000. Which can easily be done via shell terminal using the following examples. Note: You&#8217;ll want to replace&nbsp;<code>\/home\/user\/public_html\/wordpress\/<\/code>&nbsp;with the absolute path to your WordPress install&#8217;s document root.<\/p>\n\n\n<div class=\"kb-shortcode kb-shortcode_warning\">\n                    <div class=\"kb-shortcode-icon\">\n                        <i class=\"fa fa-exclamation-triangle fa-2x\"><\/i>\n                    <\/div>\n                    <div class=\"kb-shortcode-content_warning\">It is recommended to run the find commands for a list of files before actually changing permissions to ensure all files are safe to disable.<\/div>\n                <\/div>\n\n\n\n<pre class=\"wp-block-code\"><code>  # find \/home\/user\/public_html\/wordpress\/ -type f -iname \"*readme*\" \n  # find \/home\/user\/public_html\/wordpress\/ -type f -iname \"*license*\" ! -iname \"*.php\"\n  # find \/home\/user\/public_html\/wordpress\/ -type f -iname \"*readme*\" -exec chmod 000 {} +\n  # find \/home\/user\/public_html\/wordpress\/ -type f -iname \"*license*\" ! -iname \"*.php\" -exec chmod 000 {} +\n  # chmod 000 \/home\/user\/public_html\/wordpress\/wp-config-sample.php \/home\/user\/public_html\/wordpress\/xmlrpc.php<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disabling_php_execution_from_wp-content\"><\/span>Disabling PHP Execution from wp-content<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Many exploits, especially due to plugin vulnerabilities, operate in part by running php scripts from directly within the wp-content folder, or even the uploads folder itself. The WordPress core files do not need to run any php scrpits directly from these folders. Some plugins may, but keep in mind that these are often the same plugins that more often will have this type of vulnerability. To help protect against this type of exploit, you may want to add the following lines to an .htaccess file in the <strong>wp-content directory<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;FilesMatch \"\\.php$\"&gt;\n  Order Deny,Allow\n  Deny from All\n&lt;\/FilesMatch&gt;<\/code><\/pre>\n\n\n<div class=\"kb-shortcode kb-shortcode_alert\">\n                    <div class=\"kb-shortcode-icon\">\n                        <i class=\"fa fa-times-circle fa-2x\"><\/i>\n                    <\/div>\n                    <div class=\"kb-shortcode-content_alert\">This may break some themes\/plugins depending on how they work. If you experience issues, simply remove that htaccess rule though in that case you may want to re-research and reconsider use of the plugin or theme.<\/div>\n                <\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disabling_directory_index_listing\"><\/span>Disabling Directory Index Listing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Many servers default to allow directory index listing. For example when visiting a typical WordPress install, if you add wp-content\/plugins\/ to the address, ie, a url like&nbsp;<code>http:\/\/securewp.com\/wp-content\/plugins\/<\/code>,&nbsp;you would be able to see all plugins on the site as well as the files within the directories. To ensure this option is not available, place an .htaccess file containing<\/p>\n\n\n\nOptions -Indexes\n\n\n\n<p>in your wp-content and wp-includes directories.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  $ echo \"Options -Indexes\" &gt;&gt; \/home\/user\/public_html\/wordpress\/wp-content\/.htaccess\n  $ echo \"Options -Indexes\" &gt;&gt; \/home\/user\/public_html\/wordpress\/wp-includes\/.htaccess <\/code><\/pre>\n\n\n\n<p>Alternatively, if you would like to disable directory index listing serverwide, this can be done&nbsp;in WHM at<\/p>\n\n\n\nHome &gt;&gt; Service Configuration &gt;&gt; Apache Configuration &gt;&gt; Global Configuration\n\n\n\n<p>as described\u00a0<a href=\"https:\/\/docs.cpanel.net\/whm\/service-configuration\/global-configuration\/\">in WHM documentation<\/a>, by making sure the &#8220;Indexes&#8221; box is\u00a0<strong>not<\/strong>\u00a0checked, in the\u00a0<code>Directory \"\/\" Options<\/code>\u00a0section.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disabling_theme_plugin_editing\"><\/span>Disabling Theme \/ Plugin Editing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>While this is a user friendly feature of WordPress, it also opens your installation to overlooked vulnerabilities. This option removes the ability for the WordPress installation to edit plugins or themes. It is recommended to ensure your website is finished with development and then add the following constant to your wp-config.php file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  define(\u2018DISALLOW_FILE_EDIT\u2019,true);<\/code><\/pre>\n\n\n\n<p>Of course, if you have this constant enabled and would like to turn the feature back on, you can simply comment out the constant from your wp-config.php file.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"securing_themes\"><\/span>Securing Themes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Check your installed theme&#8217;s header file for the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  &lt;meta name=\"generator\" content=\"WordPress &lt;?php bloginfo('version'); ?&gt;\" \/&gt;<\/code><\/pre>\n\n\n\n<p>If this line of code exists, remove it or comment it out. This will disable the theme from providing version enumeration.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disable_login_errors\"><\/span>Disable Login Errors<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Login errors can provide useful information to hackers. For example, if they use a correct username, it will respond with invalid password, but at now they know they&#8217;ve used a correct username to keep trying with. To disable this, add the following code to your installed theme&#8217;s functions.php:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  add_filter('login_errors',create_function('$a', \"return null;\"));<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"replace_original_authentication_unique_keys_and_salts\"><\/span>Replace Original Authentication Unique Keys and Salts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Your wp-config.php file contains authentication keys and salts. You can regenerate and replace the existing keys and salts at any time, forcing all users to log in again. It is recommended to do this occasionally. Lines 45-82 of wp-config.php will contain these keys, looking similar to the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  define('AUTH_KEY', '\/asT;&#091;zOn.E~|d~Dh*{zf.\/31s&amp;n-%vry7I*x+Ddz%h_Pu,#;%,;01+2=:@h@Jz)UC!Zts');\n  define('SECURE_AUTH_KEY', 'zp{Re)}Rdnexx{?ujlN&#091;+tWJrTXr$z+s1DKfj4cegdPo:]h12B=5j?fRlRhiGh`-');\n  define('LOGGED_IN_KEY', '~=GX1e&lt;~$R3aIN8Vy,+Ddz%hlR.S!\/e&lt;e!fvWdRkrM~KjoB}xmA*hwr=E&#091;]gC~U');\n  define('NONCE_KEY', 'x QECT!B~d)+^u7@+:A\/`p+Ddz%h*,\/rf;d~#gaLRz p&#091;yO8+-P%B&lt;Sga&#091;+=sCKj');\n  define('AUTH_SALT', 'aWw@%,ca:22w^y=iHGGWw8&gt;xD%(6-fS4+gj.ulHKh%h%UeXFHw#m0:]0RbX-{NL_~p');\n  define('SECURE_AUTH_SALT', 'b&#091;,14@Xg8E--.oh#)y8\/dK@x412&#091;n?+5k!Rh%i#$9 o$pe &gt;5i=|G?~mHnLsG-7+');\n  define('LOGGED_IN_SALT', 'HfJe:G!A6q&gt;kSu&gt;To 9W;YxCY?73K Pk3;ih%-)H7Dpn#j&gt;6F3@R.,CVT&amp;yn+$\/]');\n  define('NONCE_SALT', 'Z@ t_&amp;KRIjgEfsUbR|bo&gt;^Q~$LYo*,W#G&lt;R0+Ih%l`g1X?:*&gt;V`_vb3Ii9+z}eJt');<\/code><\/pre>\n\n\n\n<p>You can use WordPress&#8217;s&nbsp;API&nbsp;to generate new&nbsp;<a href=\"https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\">salt values here.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"change_default_%e2%80%98wp_database_prefixes\"><\/span>Change Default &#8216;wp_&#8217; Database Prefixes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Using the default, predictable wp_ prefixes in your database make SQL injections much easier. Altering these prefixes can help secure your WordPress installation even further. It&#8217;s best to ensure this is done during the WordPress installation, doing it after is much more difficult, however I&#8217;ve outlined the steps required here.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Update the table_prefix constant in wp-config.php to the new prefix. The line looks like this:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>  $table_prefix = 'wp_';<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For this example, we&#8217;re changing wp_ to wp_khsec_.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>  $table_prefix = 'wp_khsec_;<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using either PHPMyAdmin or MySQL via command line, you&#8217;ll now have to rename all tables in the WordPress database to the new prefix.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>  mysql&gt; show tables;\n  +-----------------------+\n  | Tables_in_securewp_wp |\n  +-----------------------+\n  | wp_commentmeta        |\n  | wp_comments           |\n  | wp_links              |\n  | wp_options            |\n  | wp_postmeta           |\n  | wp_posts              |\n  | wp_term_relationships |\n  | wp_term_taxonomy      |\n  | wp_terms              |\n  | wp_usermeta           |\n  | wp_users              |\n  +-----------------------+\n  11 rows in set (0.00 sec)<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>  mysql&gt; RENAME TABLE wp_commentmeta TO wp_khsec_commentmeta;<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This will need to be done for each table in the database.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lastly, a few tables have fields that need to be updated as well. Ensure that you modify these fields:\n<ol class=\"wp-block-list\">\n<li><strong>wp_khsec_options<\/strong>\u00a0>\u00a0<strong>wp_user_roles<\/strong><\/li>\n\n\n\n<li><strong>wp_khsec_usermeta<\/strong>\u00a0>\u00a0<strong>wp_capabilities<\/strong>,\u00a0<strong>wp_user_level<\/strong>,\u00a0<strong>wp_autosave_draft_ids<\/strong><\/li>\n\n\n\n<li>wp_autosave may not be in your tables.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"ensure_secure_server_side_permissions\"><\/span>Ensure Secure Server Side Permissions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Ensuring that your server is using proper server side permissions is a critical topic, but may require some contemplation to choose what&#8217;s right for you.<\/p>\n\n\n\n<p>The typical recommendation for your PHP Handler is DSO+mod_ruid2, or Litespeed Web Server,&nbsp;which requires permissions of 644 for files and 755 for folders. But, we want to make sure we don&#8217;t add unneeded permissions to files we specifically removed some of the permissions from above. To ensure all files and folders have the correct permissions in your WordPress installation, you can perform the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  find \/home\/user\/public_html\/wordpress\/ -type d -perm \/022 -exec chmod -c go-w {} +\n  find \/home\/user\/public_html\/wordpress\/ -type f -perm \/133 -exec chmod -c a-x,go-w {} +<\/code><\/pre>\n\n\n\n<p>This should remove permissions that shouldn&#8217;t be needed for any file or folder while using DSO+mod_ruid2 without re-adding permissions that were purposefully removed.<\/p>\n\n\n<div class=\"kb-shortcode kb-shortcode_info\">\n                    <div class=\"kb-shortcode-icon\">\n                        <i class=\"fa fa-info-circle fa-2x\"><\/i>\n                    <\/div>\n                    <div class=\"kb-shortcode-content_info\">As before, replace \/home\/user\/public_html\/wordpress\/ with the full path to the WordPress site&#8217;s documentroot.<\/div>\n                <\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article will cover many recommended methods to secure your WordPress installation. The latest version of WordPress can always been found on their official download page:&nbsp;Download WordPress&nbsp;or&nbsp;Latest WordPress Zip Archive. WordPress has a much more extensive treatment of the topic in their&nbsp;documentation. Here we go over some of the most basic measures you can take [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[98,146],"tags":[105,108,106],"class_list":["post-1135","post","type-post","status-publish","format-standard","hentry","category-managed-wordpress","category-wordpress","tag-managed-wp","tag-mwp","tag-wordpress"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>WordPress Security Tips - KnownHost<\/title>\n<meta name=\"description\" content=\"Read inside to learn how to keep your KnownHost WordPress account locked down and secured.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WordPress Security Tips - KnownHost\" \/>\n<meta property=\"og:description\" content=\"Read inside to learn how to keep your KnownHost WordPress account locked down and secured.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/\" \/>\n<meta property=\"og:site_name\" content=\"KnownHost\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-20T12:45:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-23T11:37:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates.png\" \/>\n\t<meta property=\"og:image:width\" content=\"500\" \/>\n\t<meta property=\"og:image:height\" content=\"207\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jonathan K. W.\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jonathan K. W.\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/\"},\"author\":{\"name\":\"Jonathan K. W.\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"headline\":\"WordPress Security Tips\",\"datePublished\":\"2021-07-20T12:45:15+00:00\",\"dateModified\":\"2026-03-23T11:37:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/\"},\"wordCount\":1690,\"image\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/wordpress-security-tips-plugin-updates.png\",\"keywords\":[\"managed-wp\",\"mwp\",\"wordpress\"],\"articleSection\":[\"Managed Wordpress\",\"WordPress\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/\",\"name\":\"WordPress Security Tips - KnownHost\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/wordpress-security-tips-plugin-updates.png\",\"datePublished\":\"2021-07-20T12:45:15+00:00\",\"dateModified\":\"2026-03-23T11:37:35+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"description\":\"Read inside to learn how to keep your KnownHost WordPress account locked down and secured.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/wordpress-security-tips-plugin-updates.png\",\"contentUrl\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/wordpress-security-tips-plugin-updates.png\",\"width\":500,\"height\":207,\"caption\":\"wordpress security tips\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/wordpress-security-tips\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WordPress Security Tips\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\",\"name\":\"KnownHost\",\"description\":\"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\",\"name\":\"Jonathan K. W.\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"caption\":\"Jonathan K. W.\"},\"sameAs\":[\"https:\\\/\\\/www.knownhost.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WordPress Security Tips - KnownHost","description":"Read inside to learn how to keep your KnownHost WordPress account locked down and secured.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/","og_locale":"en_US","og_type":"article","og_title":"WordPress Security Tips - KnownHost","og_description":"Read inside to learn how to keep your KnownHost WordPress account locked down and secured.","og_url":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/","og_site_name":"KnownHost","article_published_time":"2021-07-20T12:45:15+00:00","article_modified_time":"2026-03-23T11:37:35+00:00","og_image":[{"width":500,"height":207,"url":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates.png","type":"image\/png"}],"author":"Jonathan K. W.","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jonathan K. W.","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#article","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/"},"author":{"name":"Jonathan K. W.","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"headline":"WordPress Security Tips","datePublished":"2021-07-20T12:45:15+00:00","dateModified":"2026-03-23T11:37:35+00:00","mainEntityOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/"},"wordCount":1690,"image":{"@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#primaryimage"},"thumbnailUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates.png","keywords":["managed-wp","mwp","wordpress"],"articleSection":["Managed Wordpress","WordPress"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/","url":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/","name":"WordPress Security Tips - KnownHost","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#primaryimage"},"image":{"@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#primaryimage"},"thumbnailUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates.png","datePublished":"2021-07-20T12:45:15+00:00","dateModified":"2026-03-23T11:37:35+00:00","author":{"@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"description":"Read inside to learn how to keep your KnownHost WordPress account locked down and secured.","breadcrumb":{"@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#primaryimage","url":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates.png","contentUrl":"https:\/\/www.knownhost.com\/kb\/wp-content\/uploads\/2021\/07\/wordpress-security-tips-plugin-updates.png","width":500,"height":207,"caption":"wordpress security tips"},{"@type":"BreadcrumbList","@id":"https:\/\/www.knownhost.com\/kb\/wordpress-security-tips\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.knownhost.com\/kb\/"},{"@type":"ListItem","position":2,"name":"WordPress Security Tips"}]},{"@type":"WebSite","@id":"https:\/\/www.knownhost.com\/kb\/#website","url":"https:\/\/www.knownhost.com\/kb\/","name":"KnownHost","description":"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.knownhost.com\/kb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b","name":"Jonathan K. W.","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","caption":"Jonathan K. W."},"sameAs":["https:\/\/www.knownhost.com"]}]}},"_links":{"self":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/comments?post=1135"}],"version-history":[{"count":2,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1135\/revisions"}],"predecessor-version":[{"id":8088,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/1135\/revisions\/8088"}],"wp:attachment":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/media?parent=1135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/categories?post=1135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/tags?post=1135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}