Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken.

This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure.

This article is not the ultimate quick fix to your security concerns. If you have specific security concerns or doubts, you should discuss them with people whom you trust to have sufficient knowledge of computer security and WordPress.

Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. A secure server protects the privacy, integrity, and availability of the resources under the server administrator’s control.

Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.

Updating WordPress

Main article: Updating WordPress.

The latest version of WordPress is always available from the main WordPress website at https://wordpress.org. Official releases are not available from other sites — never download or install WordPress from any website other than https://wordpress.org.

Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates. Read the entry in the Dashboard or the WordPress Developer Blog to determine what steps you must take to update and remain secure.

If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.

If you are an administrator in charge of more than one WordPress installation, consider using Subversion to make management easier.

How To rename WordPress wp-content directory

To successfully rename the wp-content directory and still have a fully functional website, you need to follow the below steps carefully. Do not miss any of the steps.

  • Open the WordPress folder and rename the wp-content folder to “content“( I chose to rename it as content, you can choose any name you want).

Note: After renaming this folder, any activated plugin or theme will be deactivated and will not be listed in their respective pages, since WordPress cannot find them from the default location, wp-content.

  • Open the wp-config.php file located at root folder of the WordPress and find below line of code which resides normally at the end of the file:require_once(ABSPATH . ‘wp-settings.php’);
  • Above this, add below section of code:

define (‘WP_CONTENT_FOLDERNAME’, ‘content‘);

define (‘WP_CONTENT_DIR’, ABSPATH . WP_CONTENT_FOLDERNAME) ;

define (‘WP_CONTENT_URL’, ‘http://siteurl.com/’.WP_CONTENT_FOLDERNAME);

define (‘WP_PLUGIN_DIR’, WP_CONTENT_DIR . ‘/plugins’);

define (‘WP_PLUGIN_URL’, WP_CONTENT_URL.’/plugins’);

How to change the URL of WordPress Login screen

Many hacking scripts are written specifically to look for “wp-login.php” or “/wp-admin”. So renaming them will harden the website for sure.

  • You can rename the wp-login.php or wp-admin slug using the third party plugin named “Rename wp-login.php (unmaintained)“.
  • After activating plugin, go to wp-admin >> Settings >> Permalinks >> Rename wp-login.php >> Login URL. Insert “tech“(you can give any name you want) and save.
  • Now, your WordPress login screen URL is: http://siteurl.com/tech

Plugins

First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system.

File Permissions

Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.

It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.

Disable File Editing

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution.

WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:

define(‘DISALLOW_FILE_EDIT’, true);