Security: Maintaining a secure WordPress blog

By | November 11, 2016

I already have several posts related to security of an exposed Internet site. They were all summarized in the post Blog Links: Web site security
As we know, the Internet threats are constant and evolving so to maintain the same level of security we constantly have to update the configurations of a secure installation. In the following I am adding some new cases I had to consider.

STEP 1: Always have the latest stable version
I do not know how to stress this harder. Always have the latest stable WordPress version. The vast majority of security breaches are due to known issues with old WordPress versions. It is like having an unlock door and hope people do not know how to press the door handle.

STEP 2: Activate two factor authentication.
Two factor authentication is a must to any system that is connected to the Internet and has a login page. You have to enable it for all the authentication methods.

1. Activate two factor authentication local WordPress installation login. There are several plugins available that do that. My choice is MiniOrange. This plugin allows you to add Google Authenticator as the second factor.

2. Activate two factor authentication for WordPress.com login. This was added at some point in the past and my advice is to use it. It is important because you can login to your site using WordPress login so that should be secured as well. You can use Google Authenticator for this also.

STEP 3: Install a WordPress security plug-in

It is very important to rely on someone who understands the complexity of a piece of software like WordPress. There are so many things to track that you must have a specific security tool designed for it. I highly recommend the plugin WordFence.

Our WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, WordFence Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. Our Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most comprehensive WordPress security solution available.

STEP 4: Disable XML-RPC in WordPress

From Wikipedia XML-RPC

XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism.[1] “XML-RPC” also refers generically to the use of XML for remote procedure call, independently of the specific protocol

In most of the cases we do not need this. Some plugins may be affected and we cannot use anymore some 3rd party clients to post to WordPress, but is still a good trade-off to get better security.

There is an interesting post on WordFence blog Should You Disable XML-RPC on WordPress?
Because I am a user of JetPack for statistics of the blog traffic I am not disabling XML_RPC, but if you do not have the need for XML-RPC you should definitely disable it. There are several plug-ins that make it easy for you to disable it.

STEP 5: Disable directory browsing

As you can see in the following post How To Disable Directory Browsing In WordPress this is a big issue.

The easiest way to do it is to add to your WordPress .htaccess file the following:


Options All -Indexes

STEP 6: Disable PHP full path disclosure

This may be a security threat so may be a good idea to disable it. See How To Fix WordPress Internal Path/Full Path Disclosure(FPD) Issue

In my installation I checked my /etc/php.init and I already have:


display_errors = Off


STEP 7: Check security with 3rd party scanners

Constantly check the security of your site with 3rd p[arty security scanners that test your site to the latest threats:

Use Sucuri Website Malware and Security Scanner and Qualys SSL Labs testers to constantly check your installation.