Some WordPress Security Guides

Hi maddyacca,

The Hardening_WordPress Codex article is a great place to start.

I have done all this thing in this article previously, just asking that is it good to move wp-config and .htaccess in wp admin folder?

You should probably leave .htaccess in the root, but I’d be more tempted to move wp-config.php up a level in the tree rather than down into wp-admin.

Don’t panic. My site is constantly attacked, nobody has gotten in yet. The first thing you should do is ensure your backups are current. If they are, there’s little to worry about.

Do not move wp-config.php except as discussed in the Hardening WP article mentioned above, even that has marginal benefit. Moving it anywhere else could break WP. If your server is configured properly, it’s fairly safe where it is. You can improve security where it is through the .htaccess file already in the same folder.

It’s very risky to move .htaccess files, depending on the content, it might be OK, but more likely will break the destination folder and all folders below it. The proper procedure is to create a new .htaccess file (assuming one does not already exist) and place whatever security directives you need in the new file.

These comments are for a standard, default installation. I can’t speak for any modifications your security plugin may have done that might contraindicate my comments.

But I am on shared hosting server and using wp better security plugin. This plugin made secured all files including .htaccess and config. But is it possible to hack my website because my website is on shared hosting? if somebody enters in my web through any other web on server then will be be able to hack my website.
Note: My .htaccess and config are not writeable and .htaccess is blocking access to all important files and also no body can change files of my wordpress also.

Here are my website’s security info:
Your WordPress header is revealing as little information as possible.
Non-administrators cannot see available updates.
The admin user has been removed.
The user with id 1 has been removed.
Your table prefix *****
You are blocking known bad hosts and agents with HackRepair.com’s blacklist..
Your login area is protected from brute force attacks.
Your WordPress admin area is hidden.
Your .htaccess file is fully secured.
Your installation is actively blocking attackers trying to scan your site for vulnerabilities.
Your installation does not accept long URLs.
You are not allowing users to edit theme and plugin files from the WordPress backend.
Better WP Security is allowed to write to wp-config.php and .htaccess.
wp-config.php and .htacess are not writeable.
Version information is obscured to all non admin users.

Are these enough?

Hi maddyacca,

There is no such thing as a 100% secure website… so the question “are these enough?” is not really the right question to ask. Although I do understand why you ask it.

There is no silver bullet, where if you do x, y and z you will be safe and secure for the rest of your life.

Drew and bcworkz have made some very good suggestions.

The codex is a very good resource on Security, and you should read it.

Backups are essential. But you have to have a good backup strategy and make some sound decisions on how often and what you backup. Think about the fact that you might not know about a security breach until 2 – 3 months after it has happened… so you need to store a reasonable number of backups… I’ve written an article on this at https://www.wpsecuritychecklist.com/wordpress-backup-the-plugin-and-the-plan/ which should be good reading regardless of which backup plugin you use.

Shared hosting could be more risky than a dedicated server… unless that dedicated server is not kept up to date with OS, Web Server, Database Server and PHP… in which case you might be better off on a shared server where the environment is kept up to date…

So there are many questions to answer when it comes to WordPress Security. I have tried to cover as many bases as possible in The WordPress Security Checklist, which you can get for free at https://www.wpsecuritychecklist.com/

Yes, I have written it. But it’s free and if you don’t like it I’ll refund your money ??

It does sound like you have done a lot of good things to secure your site though…

Make sure you have a good baseline backup and don’t panic!