The Perfect Web Server – Part 5

Hardening WordPress

In Part 4 of the Perfect Web Server, we saw how to install and secure phpmyadmin for easy database administration.

This part is all about securing your WordPress installation and preventing malicious hackers from attacking your site.

A good web host

Choosing a good web host is a basic step to securing your website. A good web host should provide reliable methods for backup and recovery at the instance level. Also, it should provide updated software that is free from the latest security vulnerabilities. This is to prevent black hat hackers from defacing your site. Firewalls and file permissions should be configured to give the minimum required privileges.

App security

The stuff that you install on your WordPress site is also important – do not install plugins and themes from unknown sources. Stick to wordpress.org or to well known sites.

Backup should be scheduled to run daily. Use a good plugin like UpdraftPlus for this. Server instance snapshots can be utilized for extra security at the OS level.

Your computer

Always keep your operating system and software up to date and ensure that your PC is free from malware. A keylogger on your computer can compromise your password. No amount of server security can protect you from a keylogger on your PC.

Updating wordpress

WordPress has automatic updates, thus it will keep itself up to date. It is essential to keep this feature enabled so that you get updates as soon as possible. Vulnerabilities are often discovered in WordPress and information about how to exploit / hack WordPress using that vulnerability will be made available to the public very soon.

When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server’s user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.

Web Server updates

The web server that WordPress is running on can have vulnerabilities. Therefore it needs to be kept up to date. If you are on a shared server, your web host is supposed to do this for you.

Network Security

Firewall rules need to be updated to allow only the necessary ports at both your web host and your home computer.


Always use a strong password. A strong passwords involves more than 15 characters, which should have UPPERCASE, lowercase, numbers and special characters (symbols). Do NOT use your name, birthday or a dictionary word. WordPress always generates a strong password for you during the installation process; it is recommended to use that.


Use SFTP – encrypted FTP if your web host provides it. This will prevent an attacker from intercepting your password or sensitive data.

File Permissions

From the wordpress documentation, “It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access”.

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server – those files need to be group-owned by the user account used by the web server process.


The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.


The WordPress administration area: all files should be writable only by your user account.


The bulk of WordPress application logic: all files should be writable only by your user account.


User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:


Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.


Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

Change file permissions

For directories,

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For files,

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Database security

If you have multiple WordPress sites, it is recommended to have a separate database for each site. This makes it much harder for attackers to compromise your other sites.

More Security

You may read the full article on WordPress Hardening at the official page.

Leave a Reply