WordPress Setup
Jump to navigation
Jump to search
WordPress Best Practices
- Keep Wordpress Core and all plugins and themes updated
- Remove all unused plugins and themes
- Practice good password hygiene
- Use strong passwords
- Do not reuse passwords
- Enable two-factor authentication where possible
- Use a trusted password manager such as 1Password
Recommended WordPress Toolkit Settings
Recommended update settings for WordPress core, plugins, and themes:
Enact the following WP Toolkit Security recommendations (at a minimum):
- Restrict access to files and directories
- Block directory browsing
- Block unauthorized access to wp-config.php
- Disable PHP execution in cache directories
- Block access to sensitive files
- Forbid execution of PHP scripts in the wp-includes directory
- Forbid execution of PHP scripts in the wp-content/uploads directory
- Block access to .htaccess and .htpasswd
Enact these security settings in addition to the above:
- Configure security keys
- Disable scripts concatenation for WordPress admin panel
- Turn off pingbacks
- Change default database table prefix
- Enable bot protection
- Block access to potentially seneitive files
- Change default administrator's username
Addon Domains
When setting up Addon domains (especially for Worpress installations) we recommend the Addon domains be placed outside your primary public_html
folder. This helps prevent cross contamination of Wordpress installations if one of them gets infected with malware.