After installing WordPress you are ready to start posting but there are a few industry accepted best practices you should do to improve security and functionality. Here’s a checklist:
- Prevent listing of the following directories.
/wp-content
/wp-content/plugins
/wp-content/themes/
/wp-content/uploads
Reason: Unless the webserver disallows it the contents of these folders will be viewable to the public potentially allowing the download and viewing of images and downloadables via browser. Placing an empty index.php file in each of these folders will prevent this. - Remove WordPress Generator Meta Tag
Reason: The WordPress Generator Meta Tag comes with every installation to provide information re the WordPress version you are using. No one really needs to know this so disabling this is highly recommended. - Disable Really Simple Discovery Meta Tags
Reason: RSD is the option of allowing the editing and publishing remotely. If you don’t need this remove this potentially hazardous service. - Remove Windows Live Writer Meta Tags
Reason: WLW Meta Tags were one of the most compromised built in services in WordPress when it came out. Avoid making hackers happy by removing this immediately. - Disable Database Error Reporting
Reason: The database often automatically publishes error reports no matter how small. The public do not necessarily have to know this information as hackers will use it to find holes in your system. Disable immediately. - Disable PHP Error Reporting
Reason: Error reporting of any kind is useful only when you are troubleshooting a problem. In any other situation just disable this as it can provide hackers information on how to get in. - Remove Scripts and Stylesheets version information
Reason: Same as above no one normally needs to know this information unless you are troubleshooting. Hackers can check a version, research its vulnerabilities and find a doorway into your system. - Remove Scripts and Stylesheets version information from URLs
Reason: Related to above, not only does this information exist in the script itself but sometimes it will appear in a long URL when you are browsing the site. Disable immediately. - Remove readme.html
Reason: The readme.html file comes default with every installation containing information about the version you are installing. Again this info can be used by hackers to find out firstly if you are using WordPress, what version it is and so on. No one needs to know this so remove it ASAP. - Administrator Username Should Not Be ‘Admin’
Reason: Hackers need to guess your password right? So why stop there and make them guess your username as well. By not using ‘Admin’ you make his job just a little harder.
These are a few of the many things we check when we run a WordPress website. If you want to have a website or have one already please consider trying out our Managed WordPress Packages. Send us a message below and we’ll reply ASAP.