WordPress Security(Part 04)

This is the 4th part of our WordPress security course. I strongly recommend reading 1st part, 2nd part and 3rd part if you didn’t read.

Block External URL Requests: Your website should not send calls to unknown URLs. Sometimes when an intruder enters your website and then he modifies the code for leaking the data.

I mean your website will send data automatically to another URL without your knowledge.

You can whitelist some domains which is a good feature of your domain. During enabling this feature make sure you whitelist all the domains like *.wordpress.org etc. which are required for receiving auto-updates and your website functionality.

For more details, read here.

Disable PHP File Execution: You should disable PHP file execution in Certain WordPress directories where it’s not needed such as /wp-content/uploads. This folder is intended for media files like images and videos.

In wp-content/upload WordPress stores all the media files uploaded via the media library. Hackers can upload a PHP file somehow to this folder which is not very easy and can access the uploaded file via URL to run it.

You can prevent the execution of PHP files via htaccess. For practical implementation please read this link.

Disable PHP Error Reporting: The error reporting feature of PHP helps developers to find issues quickly and fix them. But the feature is risky in production. You should disable it while uploading your website to the live server.

Otherwise, this can help hackers to gather some information about your website.

For example, if it displays the name of a specific plugin on which the error message has appeared, cybercriminals could use that plugin’s vulnerabilities.

Read this article to close it immediately if it is not.

Disable Comments: If you don’t need it, close it. If you need it, then disable the automatic approval.

Some commentators include dangerous links in their links that can install viruses, collect personal information, and steal money from whoever clicks them

For more details, you can read this article.

Prevent Hotlinking: Some people can display your assets like images, videos and even the whole page on their website.

Hosting is simply done by adding one website asset link to another website like someone includes your image link in his own website.

For hotlinking, your hosting provider will cost you more because it's using the resources and bandwidth of your server.

You can block everyone or allow some specific websites for hotlinking. This can be done in many ways. But I personally use htaccess.

Continue here for more details.

Continue to the 5th part of this course.