{"id":9103,"date":"2018-07-03T22:30:59","date_gmt":"2018-07-03T20:30:59","guid":{"rendered":"https:\/\/thecamels.org\/?p=9103"},"modified":"2021-06-13T19:24:00","modified_gmt":"2021-06-13T17:24:00","slug":"compendium-how-to-secure-your-wordpress","status":"publish","type":"post","link":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/","title":{"rendered":"Compendium: how to secure your WordPress?"},"content":{"rendered":"\n<p>WordPress&nbsp;is one of the most popular CMSs in the world. Depending on the statistics, it runs from several to even dozens millions of websites. The increasing popularity of WordPress in Poland translates into the growth of number of the associated attacks. Many of them can be prevented by securing the given website with simple steps. This will the main topic of this article.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>Topics related to security of websites require spending some spent on the implementation of good solutions. There is no magic \u201c<em>Secure My WordPress<\/em>\u201d button or a plugin that will solve this problem for us. Despite the fact that the creators of&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/about\/security\/\"><span>WordPress takes the subject very seriously<\/span><\/a>, there is a large list of things that we have to take care of ourselves.<\/p>\n\n\n\n<p>That is why I have good and&nbsp;<strong>even better news<\/strong> for you. The good news is that this article is really long and comprehensive. What is the better news? Its volume is accompanied by quality. You will find an overview of the most important topics related to WordPress security in one place, so you won\u2019t have to jump through different pages and articles.<\/p>\n\n\n\n<p>Let\u2019s start.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">Spis tre\u015bci<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#podcast-polish\" >Podcast (polish)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#general-recommendations\" >General recommendations<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#take-care-of-the-quality-of-passwords\" >Take care of the quality of passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#two-factor-authentication\" >Two-factor authentication<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#pay-attention-to-who-have-access-to-your-websites\" >Pay attention to who have access to your websites<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#avoid-outdated-software\" >Avoid outdated software<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#recommendations-on-the-server-or-hosting-side\" >Recommendations on the server or hosting side<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#do-not-treat-your-server-like-a-trash\" >Do not treat your server like a trash<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#user-password-and-database\" >User, password and database<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#use-ssl-certificate\" >Use SSL certificate<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#how-not-to-enable-ssl-in-wordpress\" >How not to enable SSL in WordPress<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#how-to-properly-enable-ssl-in-wordpress\" >How to properly enable SSL in WordPress<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#use-the-latest-versions-eg-php-mysql-etc\" >Use the latest versions, e.g. PHP, MySQL, etc.<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#separate-the-test-environment-from-the-production-environment\" >Separate the test environment from the production environment<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#avoid-auto-installers\" >Avoid auto-installers<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#recommendations-on-the-wordpress-side\" >Recommendations on the WordPress side<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#update-wordpress-its-plugins-and-themes\" >Update WordPress, its plugins and themes<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#difference-between-update-and-upgrade\" >Difference between update and upgrade<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#how-to-differentiate-between-update-and-upgrade\" >How to differentiate between update and upgrade?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#how-to-updateupgrade-correctly\" >How to update\/upgrade correctly?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#when-is-an-update-necessary\" >When is an update necessary?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#automatic-updates\" >Automatic updates<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#install-plugins-and-themes-only-from-proven-sources\" >Install plugins and themes only from proven sources<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#change-the-prefix-in-the-database\" >Change the prefix in the database<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#transfer-database-data\" >Transfer database data<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#change-your-administrator-login-and-id\" >Change your administrator login and ID<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#restrict-access-to-the-wordpress-panel-using-htaccess\" >Restrict access to the WordPress panel using .htaccess<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#disable-editing-of-theme-files-and-plugins\" >Disable editing of theme files and plugins<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#disable-user-registration-if-you-dont-need-it\" >Disable user registration if you don&#8217;t need it<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#enable-two-factor-authentication-in-wordpress\" >Enable two-factor authentication in WordPress<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#keep-wordpress-organized-by-removing-unnecessary-plugins-and-themes\" >Keep WordPress organized by removing unnecessary plugins and themes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#change-wordpress-keys-to-your-own\" >Change WordPress keys to your own<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#disable-comments-if-they-are-unnecessary\" >Disable comments if they are unnecessary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#protect-yourself-against-enumeration-of-users\" >Protect yourself against enumeration of users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#disable-debugging-mode\" >Disable debugging mode<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#providing-access-data-to-other-services-in-wordpress\" >Providing access data to other services in WordPress<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-37\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#block-access-to-xml-rpc\" >Block access to XML-RPC<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-38\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#do-backups\" >Do backups<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-39\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#what-is-not-worth-doing\" >What is not worth doing?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-40\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#security-plugins\" >Security plugins<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-41\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#changing-default-paths\" >Changing default paths<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-42\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#hide-unnecessary-information-about-wordpress\" >Hide unnecessary information about WordPress<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-43\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#security-testing\" >Security testing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-44\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#summary\" >Summary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-45\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#other-interesting-materials-about-wordpress-security-in-polish\" >Other interesting materials about WordPress security (in Polish):<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"podcast-polish\"><\/span>Podcast (polish)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>If you prefer listening to us to reading the articles, you can find our podcast below. There is also an audio version of this article. You can listen to it using Podcasts app on iOS, an application of your choice on Android, Tunes,&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.youtube.com\/channel\/UC01xYBZbIAApTuPWuqgGE4Q\"><span>YouTube<\/span><\/a>,&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/soundcloud.com\/thecamelsorg\"><span>SoundCloud<\/span><\/a>&nbsp;and&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.spreaker.com\/show\/thecamels\"><span>Spreaker<\/span><\/a>.<\/p>\n\n\n\n<iframe loading=\"lazy\" src=\"https:\/\/widget.spreaker.com\/player?episode_id=15837590&amp;theme=light&amp;playlist=false&amp;playlist-continuous=false&amp;autoplay=false&amp;live-autoplay=false&amp;chapters-image=true&amp;episode_image_position=right&amp;hide-logo=false&amp;hide-likes=false&amp;hide-comments=false&amp;hide-sharing=false\" width=\"100%\" height=\"200px\" frameborder=\"0\"><\/iframe>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"general-recommendations\"><\/span>General recommendations<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>When you start securing your WordPress-based website, you should focus on several general issues. They concern not only the CMS itself, but also all the things related to it that affect its security.<\/p>\n\n\n\n<p>You can listen to <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/niebezpiecznik.pl\/post\/na-podsluchu-007-ten-o-podnoszeniu-bezpieczenstwa-komputera\/\"><span>Niebezpiecznik podcast<\/span><\/a>, where very interesting topics related to enhancing security are discussed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"take-care-of-the-quality-of-passwords\"><\/span>Take care of the quality of passwords<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Website login data&nbsp;<strong>is one of the most desired information by cybercriminals<\/strong>, which may leak out during attacks. The most common mistake is using the same password for many websites and using too weak passwords in general.<\/p>\n\n\n\n<p>If we use a&nbsp;<strong>weak password<\/strong>, security measures might not be effective. It doesn\u2019t concern only difficult password for the WordPress admin panel itself, but also for the server, e&#8209;mail or client panel in the hosting company. If we use a simple password and, what&#8217;s worse, we use the same password on several websites, the password doesn&#8217;t necessarily have to be hacked on our website. An attacker can hack passwords on another website, and since we use the same password everywhere, he or she can simply log in to our WordPress.<\/p>\n\n\n\n<p>Try to create difficult passwords by adding special characters, lowercase and uppercase letters and numbers. Simple passwords are hacked with&nbsp;<em>brute-force<\/em> method. Today&#8217;s computers can guess such a password in a fraction of a second.<\/p>\n\n\n\n<p>It is worth having a different password for each website. Applications such as&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/1password.com\/\"><span>1password<\/span><\/a>,&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/keepass.info\/\"><span>KeePass<\/span><\/a>&nbsp;or&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.lastpass.com\/business-password-manager\"><span>LastPass<\/span><\/a>, will help us remember all of them.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"What is Your Password?\" width=\"1400\" height=\"788\" loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/opRMrEfAIiI?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><figcaption>Jimmy Kimmel presents how simple passwords are and how easy it is to get them.<\/figcaption><\/figure>\n\n\n\n<p>Apart from the password itself,\nit is worth mentioning the method associated with its recovering. Password\nreminder is often used to hack passwords. Most often, it is a question such\nas&nbsp;<em>\u201cName of my dog\u201d<\/em>,&nbsp;<em>\u201cFavourite dish\u201d<\/em> etc. This type of\ninformation is publicly available on social media, so the attacker can use it\nto change your password in the mailbox to which they will then send a WordPress\npassword reset.<\/p>\n\n\n\n<p>What I personally recommend to everyone is the inclusion of&nbsp;two-factor authorisation&nbsp;(2FA) on the most important accounts (mail, social media profiles, important websites). Such an approach drastically increases the level of security of accounts protected this way.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"two-factor-authentication\"><\/span>Two-factor authentication<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Usually, we log in to many websites with a login and a password.&nbsp;<strong>Two-factor authentication<\/strong>(2FA) is another obstacle an attacker has to overcome in order to access the website.<\/p>\n\n\n\n<p>The idea of the two-factor authentication is simple: apart from the login data, the user has to provide additional information or perform an additional operation in order to be authorized. It can be a text, a code from an application or clicking the link sent to the e&#8209;mail address associated with the account. In order to log in you need to have access to data that the potential attacker may not have (phone, other account, etc.).<\/p>\n\n\n\n<p>Most of poplar websites support 2FA, so it\u2019s worth using it for your own peace of mind. Additionally, 2FA authentication is often required only on new devices or browsers from which you log in \u2014 this way you won&#8217;t have to enter an authorization code at every login (although you can do so for even better security).<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"900\" height=\"365\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/2fa.png\" alt=\"An example of two-factor authentication with Google Authenticator.\" class=\"wp-image-7728\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/2fa.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/2fa-600x243.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/2fa-768x311.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/2fa-300x122.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/2fa-130x53.png 130w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><figcaption>An example of two-factor authentication with Google Authenticator.<\/figcaption><\/figure>\n\n\n\n<p>This method secures access to the website, even if your password is hacked, and for that reason this service should be enabled wherever possible. For example, access to our&nbsp;Client Panel&nbsp;and&nbsp;hosting panel&nbsp;is protected by 2FA.<\/p>\n\n\n\n<p>It is also possible&nbsp;to enable two-factor authentication&nbsp;to the administrator panel in the WordPress.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"pay-attention-to-who-have-access-to-your-websites\"><\/span>Pay attention to who have access to your websites<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>While creating and developing a website, we often use the external services to perform certain tasks. We provide access to our website, hosting server or other services to programmers, SEO teams or editors. Unfortunately, after some time, we forget to remove the accounts of people who no longer cooperate with us.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"512\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy-1024x512.png\" alt=\"WordPress Users11 forgotten administrators\" class=\"wp-image-7729\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy-1024x512.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy-600x300.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy-768x384.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy-960x480.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy-300x150.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy-900x450.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy-130x65.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wordpress-dostepy.png 1064w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>11 forgotten administrators.<\/figcaption><\/figure>\n\n\n\n<p>On the one hand, a list of people\nwho have access to our website is&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/prakreacja.pl\/rodo-dla-blogerow\/\">important from the point of view\nof the GDPR,<\/a>&nbsp;and, on the other hand, for\nsafety reasons. When terminating cooperation with a given person or company,\nremember to change their passwords or&nbsp;<strong>remove their access<\/strong>. We often\nsimply forget about such activities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"avoid-outdated-software\"><\/span>Avoid outdated software<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Updates to software, operating\nsystem or applications on a mobile phone are already executed on a daily basis.\nDon\u2019t ignore them when taking care of the security of your computer or website.\nA new version of a programme not only provides you with more features but also\nfixes bugs found in the older version. Many of these errors relate strictly to\nsecurity.<\/p>\n\n\n\n<p>If you work on a computer with an\noutdated operating system, antivirus or a programme to connect to the server,\nyou may pose a risk to yourself or visitors to your website.<\/p>\n\n\n\n<p>There are many computer viruses\nthat can steal server passwords from your computer from outdated versions of\nprogrammes such as these:&nbsp;<strong>FileZilla, WinSCP or Total Commander<\/strong>. Even\nworse, they can use stolen passwords to infect websites on the server they have\naccess to.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"recommendations-on-the-server-or-hosting-side\"><\/span>Recommendations on the server or hosting side<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>An <a href=\"https:\/\/thecamels.org\/en\/server-administration\/\"><span>administrator<\/span><\/a>&nbsp;or a hosting company is responsible for the security of the server and its hosting \u2014 this part will focus on the aspects we can influence ourselves and what we can do to improve the security of the website running on that server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"do-not-treat-your-server-like-a-trash\"><\/span>Do not treat your server like a trash<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The server should contain only the&nbsp;<strong>most necessary things<\/strong> that we and our visitors will use. By keeping order in directories, databases, email accounts, it will be easier for you to update everything or simply&nbsp;watching over the access to services.<\/p>\n\n\n\n<p>Keeping various test scripts,\nforgotten sites or another version of the&nbsp;<em>\/old<\/em> directory on the\nserver gives attackers plenty of room for manoeuvre. They can access your data\nthrough such forgotten files placed somewhere on your disk.<\/p>\n\n\n\n<p>The mess in your hosting is also\na great place to hide all kinds of&nbsp;<em>malware <\/em>such as: Trojans,\nInternet worms, backdoors or&nbsp;<em>cryptocurrency<\/em> extractors. This will\nmake it equally difficult for administrators and programmers to identify the\nthreat and remove it.<\/p>\n\n\n\n<p>If you don&#8217;t care about having order in your files and databases, you may also have a problem with&nbsp;backup and, even worse, faster file recovery. The more unnecessary things are kept on the server, the longer it takes to perform the backup. This may also delay restoring a file.<\/p>\n\n\n\n<p>Remember: your the server is not\na trash.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"user-password-and-database\"><\/span>User, password and database<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>One of the simplest steps we can take is to create a separate database and user for each website. This will ensure, first of all, that we are able to&nbsp;keep it clean. If it is necessary to restore a database, we will be able to restore the database specific for a given website. Another advantage of such a solution is the creation of&nbsp;separate users and passwords&nbsp;to websites. Each instance of WordPress or other script uses its access data.<\/p>\n\n\n\n<p>When creating a database, giving a\nunique name to both the database and a user who will access it, is also a good\nidea. This is not an ideal security measure and can be classified as\nso-called&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/pl.wikipedia.org\/wiki\/G\u0142\u0119bokie_ukrycie\"><span>deep hiding<\/span><\/a>,&nbsp;but it\nwill certainly make access to the data more difficult.<\/p>\n\n\n\n<p>You should also avoid remote connections to the database. MySQL \/ MariaDB server&nbsp;<strong>does not encrypt its connections in the default configuration<\/strong>. When you access your database from an office, home or caf\u00e9 you might risk eavesdropping on the connection. As a result, the attacker will be able to read your WordPress data, such as login, e&#8209;mail or password&nbsp;<em>hash<\/em>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">select * from wp_users;<br>wp_users<br>display_name<br>display_name<br>mateusz\"$P$BxZBPEad1Mxq0lZL9SCzdAgUQz9nyI.<br>mateuszmateusz@exadop.org<br>2017-03-21 12:24:18<br>mateusz<\/pre>\n\n\n\n<p>Above you can see an example of\ndata hacked when user login&nbsp;<strong>mateusz<\/strong>&nbsp;logged in to the WordPress\npanel. You can also read the password hash and you could try to hack it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"use-ssl-certificate\"><\/span>Use SSL certificate<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>There is a lot to tell about&nbsp;<a href=\"https:\/\/thecamels.org\/en\/ssl-certificates\/\"><span>SSL certificates<\/span><\/a>. The most important principle is to use them. It doesn\u2019t matter whether you use&nbsp;<a href=\"https:\/\/thecamels.org\/en\/what-is-the-difference-between-a-free-ssl-certificate-and-a-paid-ssl-certificate\/\"><span>free or paid certificate<\/span><\/a>. You protect your website against eavesdropping and various attacks, e.g&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\"><span>a man-in-the-middle attack<\/span><\/a>.<\/p>\n\n\n\n<p>Pay attention to the server on which you install the certificate and check whether is&nbsp;<a href=\"https:\/\/thecamels.org\/en\/secure-ssl-configuration-on-apache-server\/\"><span>had the correct configuration<\/span><\/a>. You can check it using various tools available online or ask the server or hosting administrator.<\/p>\n\n\n\n<p>Using an encrypted https connection means not only security, but also&nbsp;<a href=\"https:\/\/thecamels.org\/en\/what-is-http-2-and-is-it-good-to-implement-it\/\"><span>HTTP\/2 access<\/span><\/a>, which speeds up the loading time of the website.<\/p>\n\n\n\n<p>The next step is to&nbsp;<strong>enable\nSSL in WordPress<\/strong>. There are two ways to do it: a fast and incorrect way\nor&nbsp;<strong>a bit more difficult and correct one<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"how-not-to-enable-ssl-in-wordpress\"><\/span>How not to enable SSL in WordPress<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>The first method is to install <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/really-simple-ssl\/\"><span>Really Simple SSL<\/span><\/a> plugin. Because of its simplicity, it is recommended by many bloggers and not tech savvy people. Enabling SSL is nothing more than just installing the plugin and clicking&nbsp;<strong>Go ahead, activate SSL<\/strong>.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Moving your website from HTTP to HTTPS is a one-time operation and should be treated as such. If there are any problems after SSL has been enabled (the site includes CSS\/JS files\/images shared through a non-encrypted connection, etc.), these problems should be recognized and fixed.<\/p><p><br>Using a plugin for this purpose, which tries to find such problems during each page view and fix them only at that time doesn\u2019t make much sense. This is both inefficient (because the problem persists) and dangerous approach (what if the file is not available via HTTPS?).<br> Additionally, it is a typical example of an unnecessary plugin \u2013 i.e. a plugin that is present, burdens the website, increases the cost of its maintenance (updates, maintaining security), and performs operations that would be sufficient to perform only once and without any plugin.<\/p><cite>Krzysztof Dr\u00f3\u017cd\u017c, WPmagus \u2013 WordPress magicians<\/cite><\/blockquote>\n\n\n\n<p>Using this plugin may adversely affect the operation of the server and the website, which, in result,&nbsp;<a href=\"https:\/\/thecamels.org\/en\/what-traffic-on-the-website-will-be-handled-by-my-server\/\"><span>might lead to slower operation<\/span><\/a>. It is also worth to familiarize oneself with an&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/really-simple-ssl.com\/knowledge-base\/really-simple-ssl-make-site-slower\/\"><span>article<\/span><\/a> by the developers of this plugin.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"how-to-properly-enable-ssl-in-wordpress\"><\/span>How to properly enable SSL in WordPress<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>If you install WordPress using an SSL connection <strong>(https:\/\/<\/strong>), you only need to redirect the traffic to the encrypted version. This can be done with&nbsp;<strong>.htaccess<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RewriteEngine On\nRewriteCond %{HTTPS} !=on &#91;NC]\nRewriteRule ^(.*)$ https:\/\/%{HTTP_HOST}%{REQUEST_URI} &#91;L,R=301]<\/code><\/pre>\n\n\n\n<p>If you use&nbsp;<a href=\"https:\/\/thecamels.org\/en\/ssl-certificates\/lets-encrypt\/\"><span>Let&#8217;s Encrypt<\/span><\/a>&nbsp;certificates, the rule is as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RewriteEngine On\nRewriteCond %{REQUEST_URI} !\\.well-known\/acme-challenge\nRewriteCond %{HTTPS} !=on &#91;NC]\nRewriteRule ^(.*)$ https:\/\/%{HTTP_HOST}%{REQUEST_URI} &#91;L,R=301]<\/code><\/pre>\n\n\n\n<p>However, if you did not have an SSL certificate implemented from the very beginning, then, apart from its implementation and redirections, you still have to change the links in the database. WordPress, when it worked without&nbsp;<strong>https<\/strong>, saved post links to e.g. pictures in the form of&nbsp;<strong>http<\/strong>. Redirecting a page to a version with SSL will only cause a problem called&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/developers.google.com\/web\/fundamentals\/security\/prevent-mixed-content\/what-is-mixed-content\"><span>Mixed Content<\/span><\/a>.<\/p>\n\n\n\n<p>To prevent this, you can use the&nbsp;<strong>Better Search Replace<\/strong> plugin, which will change all links from&nbsp;<strong>http<\/strong>&nbsp;to those with&nbsp;<strong>https<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-plugin-directory\"><div class=\"wp-block-embed__wrapper\">\r\n<blockquote class=\"wp-embedded-content\" data-secret=\"szAZjelzp7\"><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/better-search-replace\/\"><span>Better Search Replace<\/span><\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Better Search Replace&#8221; &#8212; Plugin Directory\" loading=\"lazy\" src=\"https:\/\/wordpress.org\/plugins\/better-search-replace\/embed\/#?secret=szAZjelzp7\" data-secret=\"szAZjelzp7\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\r\n<\/div><figcaption>A plugin used to change text in the WordPress database.<\/figcaption><\/figure>\n\n\n\n<p>In the&nbsp;<strong>Search for<\/strong>&nbsp;field enter the address of your website after http e.g. <strong>http:\/\/<\/strong>thecamels.org\/ and in the&nbsp;<strong>Replace with <\/strong>enter the version&nbsp;with SSL, i.e. <strong>https:\/\/<\/strong>thecamels.org. Select all tables, uncheck&nbsp;<strong>Run as dry run?<\/strong>&nbsp;and click the button at the bottom.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"734\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-1024x734.png\" alt=\"Fields to be filled in when changing website addresses\" class=\"wp-image-7743\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-1024x734.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-600x430.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-1400x1003.png 1400w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-768x550.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-1536x1101.png 1536w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-960x688.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-300x215.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-900x645.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace-130x93.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/better-search-replace.png 1970w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Fields to be filled in when changing website addresses.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Before changing addresses&nbsp;an additional backup is also a good choice. After the changes have been made, remove the plugin in order to keep your&nbsp;server clean.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"use-the-latest-versions-eg-php-mysql-etc\"><\/span>Use the latest versions, e.g. PHP, MySQL, etc.<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Software update&nbsp;on your computer is not enough. Choosing the latest versions of programmes on the server side is also important. Many hosting companies provide various versions of the PHP language on their accounts. Unfortunately, these are often outdated, vulnerable and dangerous versions of this language. Using them might lead to the so-called&nbsp;<strong>technological debt<\/strong>, it might also cause many attacks on WordPress.<\/p>\n\n\n\n<p>Changing your software to a newer one, apart from the security issues, often enhance the performance. <a href=\"https:\/\/thecamels.org\/en\/why-switch-to-php-7-1-7-2\/\"><span>Choosing PHP 7.1 version, which increased page performance by up to 400%<\/span><\/a> sounds like a good idea.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"260\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-1024x260.png\" alt=\"Supported PHP versions as of 30.06.2018\" class=\"wp-image-7731\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-1024x260.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-600x152.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-1400x355.png 1400w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-768x195.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-1536x390.png 1536w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-960x244.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-300x76.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-900x228.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version-130x33.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/php-supported-version.png 1962w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Supported PHP versions as of <strong>30.06.2018<\/strong>.<\/figcaption><\/figure><\/div>\n\n\n\n<p>On&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/secure.php.net\/supported-versions.php\"><span>secure.php.net<\/span><\/a> you can see\nthe currently supported PHP version and the one that should be used.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"separate-the-test-environment-from-the-production-environment\"><\/span>Separate the test environment from the production environment<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>When creating a large website, an online store or just a blog, we often have to check things on the&nbsp;<strong>test version of the website<\/strong>. In an ideal world, such versions are kept on separate servers or hosting accounts. This allows us to&nbsp;allocate accesses&nbsp;to the test environment to developers who should not have insight into our production environment.<\/p>\n\n\n\n<p>Such a solution makes you&nbsp;keep your server clean, too. We will not find any test versions of software with potential errors on the production website hosting. Many well-known websites have been attacked by unsecured test versions. You should avoid creating a beta version of your website at addresses such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>test.my-website-address.com<\/li><li>beta.my-website-address.com<\/li><li>my-website.com\/test<\/li><li>etc.<\/li><\/ul>\n\n\n\n<p>These are extremely popular addresses that web robots will be able to reach and infect. If you are already using such an address, it is worth protecting it against external access with a password.<\/p>\n\n\n\n<p>One of the methods of safe implementation of changes in the environment can be the use of&nbsp;<a href=\"https:\/\/thecamels.org\/en\/blue-green-software-deployment\/\"><span>Blue-Green software deployments<\/span><\/a>. In large systems, we can use&nbsp;<a href=\"https:\/\/thecamels.org\/en\/continuous-integration-continuous-delivery-and-continuous-deployment\/\"><span>Continuous Integration, Continuous Delivery and Continuous Deployment<\/span><\/a> in order to implement changes in the production environment.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"366\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/04\/load-balancer_thecamels.gif\" alt=\"The Camels Load Balancer\" class=\"wp-image-7712\"\/><figcaption>Blue-Green software deployment.<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"avoid-auto-installers\"><\/span>Avoid auto-installers<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>All kinds of auto-installers help us run WordPress for the first time. Installing this CMS comes down to a click of a button and is not much easier than installing this CMS manually.<\/p>\n\n\n\n<p>Unfortunately, WordPress, when installed this way,&nbsp;is often outdated. The auto-installer will also include many themes and plugins that you won\u2019t use. This only introduces clutter on the server and additional software that you need to take care of.<\/p>\n\n\n\n<p>In many cases, auto-installers work in such a way that they create a clone of your WordPress installation. This result in having the same&nbsp;keys&nbsp;on many website, which reduces their security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"recommendations-on-the-wordpress-side\"><\/span>Recommendations on the WordPress side<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The next step is to introduce security and good practices on the side of WordPress itself. You can perform most of these steps by yourself, without having to install unnecessary plugins. Think about your car \u2014 you need to take care it, check it regularly. The same applies to WordPress. Having a website, apart from its benefits, includes&nbsp;<a href=\"https:\/\/thecamels.org\/en\/need-a-website-5-things-to-keep-in-mind\/\"><span>also a number of obligations<\/span><\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"update-wordpress-its-plugins-and-themes\"><\/span>Update WordPress, its plugins and themes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Taking care of WordPress consists in updating its elements (core, plugins and&nbsp;<a href=\"https:\/\/thecamels.org\/en\/what-is-the-difference-between-the-theme-and-the-wordpress-template\/\"><span>themes<\/span><\/a>). Carrying out safety-related updates is crucial. You don&#8217;t have to be in a hurry when a new version of the plugin, which adds fixes to the Hebrew translation (unless you use this language), has been released. Updating should be approached in a pragmatic way.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"878\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy-1024x878.png\" alt=\"A list of unused themes to update\" class=\"wp-image-7737\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy-1024x878.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy-600x514.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy-768x658.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy-960x823.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy-300x257.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy-900x772.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy-130x111.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/motywy.png 1178w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>A list of unused themes to update.<\/figcaption><\/figure><\/div>\n\n\n\n<p>If&nbsp;you don\u2019t keep your WordPress clean, you may have to perform an update of a number of unused themes, which may also contain a vulnerability that will be used to hack the site.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"difference-between-update-and-upgrade\"><\/span>Difference between update and upgrade<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>One of the most ambiguous concepts in the Polish WordPress nomenclature is the concept of \u201caktualizacja\u201d. This is due to the fact that there are two equivalents of the word in English:&nbsp;<strong>update<\/strong>&nbsp;and&nbsp;<strong>upgrade<\/strong>.<\/p>\n\n\n\n<p><strong>Update<\/strong>&nbsp;is an update with small changes \u2013 most often of critical patches of broken functions and security.&nbsp;<strong>Upgrade<\/strong>&nbsp;is an update, which brings new features to the software apart from the fixes.<\/p>\n\n\n\n<p>In the case of an update, there\nis usually no risk of incompatibility with the installed themes and plugins,\nbut when you upgrade, there is a certain risk that the installed themes and\nplugins may stop working properly, especially if you upgrade immediately after\nits release. The developers of extensions for WordPress often need some time to\nrelease software compatible with the new version.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"how-to-differentiate-between-update-and-upgrade\"><\/span>How to differentiate between update and upgrade?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In the case of WordPress, just take a look at your version. WordPress uses a&nbsp;<em>versioning<\/em> method&nbsp;on three numbers, e.g.&nbsp;<strong>4.7.0<\/strong>. If only the last number has changed, this is an&nbsp;<strong>update<\/strong>. However, when the first or second number has changed, we are dealing with an&nbsp;<strong>upgrade<\/strong>.<\/p>\n\n\n\n<p> Examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>I have version 4.7.1 and I received information that WordPress      version 4.7.2 was released \u2013 this is an&nbsp;<strong>update<\/strong>.<\/li><li>I have version 4.6.4 and I received information that WordPress      version 4.7.0 was released \u2013 this is an&nbsp;<strong>upgrade<\/strong>.<\/li><\/ul>\n\n\n\n<p>Due to the fact that every update usually makes small changes, extension developers often name a WordPress version as e.g. 4.5.*, referring to all versions starting with 4.5.<\/p>\n\n\n\n<p>Changing the first number of\nversions in the case of WordPress will probably not include drastic changes (as\nin the case of a large software group). Therefore, updating WordPress from\nversion 4.9.* to version 5.0.0 is likely to have the same number of changes as\nupdating WordPress 4.5.* to WordPress 4.6.0.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"how-to-updateupgrade-correctly\"><\/span>How to update\/upgrade correctly?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Both when you perform an <strong>update<\/strong> and an&nbsp;<strong>upgrade<\/strong>, preparing a back up of your WordPress beforehand is considered a good practice.<\/p>\n\n\n\n<p>The chance that something bad will happen during the update also depends very much on the complexity of the site and the solutions that the site uses. However, it is always worth protecting yourself with a backup, especially in cases where you do not have the appropriate technical knowledge.<\/p>\n\n\n\n<p>Updates and upgrades can be also checked on&nbsp;the test environment.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"when-is-an-update-necessary\"><\/span>When is an update necessary?<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>According to a common theory, WordPress should be updated\/upgraded when information about the new version has been released. However, taking a more pragmatic approach might be useful. Perform your updates\/upgrades almost immediately when it comes to&nbsp;<strong>security updates<\/strong>. In other cases, you can take some time, especially when you consider updates that perform an&nbsp;<strong>upgrade<\/strong>.<\/p>\n\n\n\n<p>If you don&#8217;t necessarily need a new feature, it&#8217;s a good idea to wait a few days for other users to check the new version. This might be useful since serious errors often occur when there are major changes in the WordPress code or plugins.<\/p>\n\n\n\n<p>Keep in mind you don&#8217;t have to\nhave the latest version of WordPress in order to have a safe website. For\nexample, security patches can be issued even for WordPress 3.7. Of course,\nusing such an old version might be a significant obstacle when it comes to the\navailability of plugins and themes, which are most often tested only to two\nversions back.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"automatic-updates\"><\/span>Automatic updates<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>By default, WordPress automatically installs updates, as there is a small risk something will go wrong.&nbsp;It is possible to configure WordPress so that it&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/codex.wordpress.org\/Configuring_Automatic_Background_Updates\"><span>automatically updates its code and the code of plugins, themes or translations<\/span><\/a>.<\/p>\n\n\n\n<p>It is worth considering whether it is recommended to enable automatic updates of plugins and themes as well as to perform automatic WordPress upgrades. With large and complex websites, this can lead to a situation where the website will be unavailable for a certain period of time \u2013 until you discover problems with the website.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Wa\u017cna aktualizacja WordPressa 4.9.4, kt\u00f3r\u0105 musisz wykona\u0107 r\u0119cznie\" width=\"1400\" height=\"788\" loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/PFeWkVjbFYk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><figcaption>Release of WordPress, which fixes automatic updates.<\/figcaption><\/figure>\n\n\n\n<p>However, keep in mind that despite the automatic updates, it is worth checking whether they have actually been performed.&nbsp;<a href=\"https:\/\/thecamels.org\/en\/important-wordpress-update-4-9-4-which-you-must-perform-manually\/\"><span>Sometimes they fail and you have to upgrade or update manually<\/span><\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"install-plugins-and-themes-only-from-proven-sources\"><\/span>Install plugins and themes only from proven sources<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>One of the factors why WordPress\nis so popular is the number of plugins and themes you can add. There are\nnumerous websites which offer them for free. At first glance, it is hard to\ndetermine whether the element we download and install in our WordPress is safe.\nWe often lack knowledge to perform&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.owasp.org\/images\/2\/2e\/OWASP_Code_Review_Guide-V1_1.pdf\">reviewing the\ncode<\/a>&nbsp;of the given theme or plugin.<\/p>\n\n\n\n<p>The footer of the theme you\ninstall may look like the one below. This might be obscured information about\nthe author of the theme or a malicious code. Tools such as&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.unphp.net\/\"><span>UnPHP<\/span><\/a> might be of\nhelp, but even they often won\u2019t manage.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php preg_replace(\"\\xf4\\x30\\41\\x1f\\x16\\351\\x42\\x45\"^\"\\xd7\\30\\xf\\64\\77\\312\\53\\40\",\"\\373\\x49\\145\\xa9\\372\\xc0\\x72\\331\\307\\320\\175\\237\\xb4\\123\\51\\x6c\\x69\\x6d\\x72\\302\\xe1\\117\\x67\\x86\\44\\xc7\\217\\x64\\260\\x31\\x78\\x99\\x9c\\200\\x4\"^\"\\273\\40\\13\\312\\x96\\265\\x16\\xbc\\x98\\xbf\\x13\\374\\xd1\\x7b\\x4b\\15\\32\\x8\\104\\xf6\\xbe\\53\\2\\345\\113\\xa3\\352\\114\\x92\\155\\111\\xbb\\xb5\\251\\77\",\"\\206\\65\\x30\\x2f\\160\\x2\\77\\x56\\x25\\x9a\\xf\\x6\\xec\\317\\xeb\\x10\\x86\\x0\\244\\364\\255\\x57\\x53\\xf3\\x8d\\xb9\\13\\x5c\\2\\272\\xc5\\x97\\215\\347\\372\\x83\\x74\\367\\x28\\x2e\\xd1\\x36\\x72\\177\\223\\x3c\\xb2\\x1a\\x96\\271\\127\\x3b\\337\\xcf\\277\\317\\xb7\\4\\214\\271\\xb2\\235\\71\\xa6\\x3d\\205\\325\\127\\336\\70\\xd6\\x7c\"^\"\\312\\7\\x58\\131\\x12\\x55\\152\\146\\151\\250\\76\\166\\210\\207\\x9b\\x22\\xdf\\127\\xcc\\x9e\\xe1\\144\\x11\\302\\324\\324\\x73\\x2c\\133\\213\\374\\xf8\\xe9\\240\\313\\xf0\\x38\\305\\x6e\\x54\\xb2\\4\\x24\\x4f\\360\\105\\213\\152\\xf4\\xee\\64\\x4d\\275\\x88\\206\\xa1\\325\\x35\\265\\xc3\\xd0\\xca\\177\\xd5\\x5f\\xc6\\xe0\\40\\274\\x55\\xb5\\x41\"); ?&gt;<\/code><\/pre>\n\n\n\n<p>If you decide to add a theme or a template, it&#8217;s worth visiting the official repository of&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/themes\/\"><span>themes<\/span><\/a>&nbsp;and&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/\"><span>plugins<\/span><\/a>. The ones you will find there will&nbsp;be <strong>verified<\/strong>&nbsp;for malicious code. You can also contact a test team for this type of activity on your own as part of the&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/make.wordpress.org\/support\/handbook\/getting-started\/getting-started-at-a-contributor-day\/\"><span>Contributor Day<\/span><\/a>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"606\" height=\"482\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczka-oceny.png\" alt=\"Ratings on the WP Super Cache plugin\" class=\"wp-image-7744\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczka-oceny.png 606w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczka-oceny-600x477.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczka-oceny-300x239.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczka-oceny-130x103.png 130w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><figcaption>Ratings on the WP Super Cache plugin.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Before you install a plugin, try to check the ratio of positive ratings (5 and 4) to negative ones (1 and 2). Users\u2019 reviews are equally important. It may turn out the description of the plugin is misleading or the plugin does not do what we expect. Checking whether the plugin is still being updated and developed is also a good idea. It might have been abandoned a long time ago and nobody will repair its errors.<\/p>\n\n\n\n<p>You can also download addons from websites offering their paid versions. ThemeForest&nbsp;and&nbsp;CodeCanyon are a good example. Note that paid plugins or themes can also be vulnerable and should be&nbsp;upgraded. Many serious bugs were found in paid plugins such as&nbsp;<strong>RevSlider<\/strong>&nbsp;or&nbsp;<strong>WPML<\/strong>.<\/p>\n\n\n\n<p>Pay attention to where the paid theme or plugin is downloaded from. <em>Torrent<\/em>&nbsp;versions very include&nbsp;<strong>Trojan horses and other malicious code<\/strong>.<\/p>\n\n\n\n<p>You can also take a loot at the <a href=\"https:\/\/thecamels.org\/en\/useful-plugins-for-wordpress\/\"><span>recommended<\/span><\/a>&nbsp;and&nbsp;<a href=\"https:\/\/thecamels.org\/en\/prohibited-and-forbidden-plugins-for-wordpress\/\"><span>prohibited<\/span><\/a>&nbsp;WordPress plugins.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"change-the-prefix-in-the-database\"><\/span>Change the prefix in the database<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>When installing WordPress, we set\na prefix for table names. The default is&nbsp;<strong>wp_<\/strong>. This solution allows\nyou to install several WordPresses in one database. It is good practice to set\nyour own prefix e.g.&nbsp;<strong>dws_<\/strong>. This will make it more difficult for\nonline robots to find specific tables in the database.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"transfer-database-data\"><\/span>Transfer database data<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>By default, logins and passwords to the database are saved in the&nbsp;<strong>wp-config.php<\/strong> file. If there is a&nbsp;<em>malware<\/em> on the server that searches for data connected to the database, we can make it more difficult. Replace the section:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define('DB_NAME', 'database');\ndefine('DB_USER', 'user');\ndefine('DB_PASSWORD', 'password');\ndefine('DB_HOST', 'localhost');\ndefine('DB_CHARSET', 'utf8');\ndefine('DB_COLLATE', '');<\/code><\/pre>\n\n\n\n<p>with the following code:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>require_once \"wp-config-database.php\";<\/code><\/pre>\n\n\n\n<p>and then we will copy it to the\nnew&nbsp;<strong>wp-config-database.php<\/strong> file, which we place on the server. We\ncan also move this file from the main directory of the page (Document Root) and\nchange the path to it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"change-your-administrator-login-and-id\"><\/span>Change your administrator login and ID<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>During installation, older versions of WordPress created a default administrator account called&nbsp;<strong>admin<\/strong>. Since version 3.0, we can determine the name of the main account. It is a good practice to change it to something else than the popular \u201cadmin\u201d or \u201cadministrator\u201d. This way we will certainly make it difficult to access our site. Remember to set up&nbsp;a difficult password&nbsp;and enable two-factor authentication.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"restrict-access-to-the-wordpress-panel-using-htaccess\"><\/span>Restrict access to the WordPress panel using .htaccess<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>To avoid problems with Brute-Force attacks on the WordPress admin panel, the simplest method is to add&nbsp;<em>BaseAuth<\/em> authorization. It may be used in parallel with&nbsp;two-factor authentication.<\/p>\n\n\n\n<p>In order to add it, we create a .htaccess file in the wp-admin directory:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>AuthType Basic\nAuthName \"test\"\nAuthUserFile \"\/jakas\/sciezka\/.htpasswd\"\nrequire valid-user\n\n&lt;FilesMatch \"admin-ajax\\.php|admin-post\\.php\"&gt;\n    Order allow,deny\n    Allow from all\n    Satisfy any\n&lt;\/FilesMatch&gt;<\/code><\/pre>\n\n\n\n<p>The&nbsp;<strong>.htpasswd<\/strong>&nbsp;file should be located in a path outside the main directory of the page. Its syntax is a definition of&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"http:\/\/www.htaccesstools.com\/htpasswd-generator\/\"><span>one user with a password saved as hash per line<\/span><\/a>.&nbsp;Additionally, in the case of hosts using cPanel, you should add .htaccess in the main file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RewriteCond %{REQUEST_FILENAME} !\\.shtml$<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disable-editing-of-theme-files-and-plugins\"><\/span>Disable editing of theme files and plugins<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Edycja wtyczek oraz motyw\u00f3w z poziomu panelu WordPressa praktycznie si\u0119 nie przydaje. Praca z tym edytorem jest ci\u0119\u017cka. Niestety domy\u015blnie jest on w\u0142\u0105czony i niekt\u00f3re z\u0142o\u015bliwe wtyczki potrafi\u0105 za jego pomoc\u0105 doda\u0107 sw\u00f3j kod. Tak w\u0142a\u015bnie mo\u017ce rozprzestrzenia\u0107 si\u0119&nbsp;<em>malware<\/em>. Aby wy\u0142\u0105czy\u0107 edytor, nale\u017cy w pliku&nbsp;<strong>wp-config.php<\/strong>&nbsp;doda\u0107 kod:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define( 'DISALLOW_FILE_EDIT', true );<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disable-user-registration-if-you-dont-need-it\"><\/span>Disable user registration if you don&#8217;t need it<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>An unsecured registration form may be the basis for taking over our website. In the past, attackers were able to create a new WordPress administrator account using properly hacked data.<\/p>\n\n\n\n<p>Mass registration of hundreds, if not thousands of accounts, is another potential threat. As a result, our domain\/account may be blocked by the service provider for suspicion of sending SPAM.<\/p>\n\n\n\n<p>In order to protect yourself from the above, it is necessary to disable the possibility of registering new users in WordPress. If we can\u2019t do that, since we want register new users, we want to run a shop, etc., we have to take care of the best possible protection against the potential risks associated with registration. These are the steps to be taken in order to disable the registration of new users:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Log in to the administration panel.<\/li><li>Go to General Settings.<\/li><li>Untick \u201cAnyone can register\u201d.<\/li><\/ol>\n\n\n\n<p>This will prevent new users from registering. As a result, the registration link will disappear from the administration panel login page. If you try to access <strong>wp-login.php?action=register<\/strong>, you will be redirected to the WordPress administration panel login page.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"enable-two-factor-authentication-in-wordpress\"><\/span>Enable two-factor authentication in WordPress<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Enabling&nbsp;this function&nbsp;in WordPress is extremely simple and boils down to installing a&nbsp;<strong>Two-Factor Authentication<\/strong> plugin.&nbsp;Then, a new tab&nbsp;<strong>Two Factor Auth<\/strong>&nbsp;will appear in the panel,&nbsp;where you can enable two-factor authentication for your account.<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-plugin-directory\"><div class=\"wp-block-embed__wrapper\">\r\n<blockquote class=\"wp-embedded-content\" data-secret=\"OjgBixfVE6\"><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/two-factor\/\"><span>Two-Factor<\/span><\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Two-Factor&#8221; &#8212; Plugin Directory\" loading=\"lazy\" src=\"https:\/\/wordpress.org\/plugins\/two-factor\/embed\/#?secret=OjgBixfVE6\" data-secret=\"OjgBixfVE6\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\r\n<\/div><figcaption>Recommended plugin for two-factor authentication.<\/figcaption><\/figure>\n\n\n\n<p>Additionally, you will get access to an image, which should be scanned in&nbsp;<strong>Google Authenticator<\/strong>&nbsp;(or e.g. Authy, 1Password), available for phones on&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.google.android.apps.authenticator2&amp;hl=pl\"><span>Android<\/span><\/a>&nbsp;or&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/itunes.apple.com\/pl\/app\/google-authenticator\/id388497605?mt=8\"><span>iOS<\/span><\/a>. The next time you log in after entering your login data, you will see an additional screen asking you to enter a one-time code from the application.<\/p>\n\n\n\n<p>If you lose access to your phone with a token generation application, you can temporarily disable the plugin by adding the following line to&nbsp;<strong>wp-config.php<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define('TWO_FACTOR_DISABLE', true);<\/code><\/pre>\n\n\n\n<p>Those who are more sensitive about the security may try to buy a hardware authorization key \u2013 such keys are created e.g. by&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.yubico.com\/\"><span>yubico.<\/span><\/a><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"444\" height=\"444\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/YubiKey-4-1000-2016-444x444.png\" alt=\"YubiKey 4\" class=\"wp-image-7732\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/YubiKey-4-1000-2016-444x444.png 444w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/YubiKey-4-1000-2016-444x444-150x150.png 150w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/YubiKey-4-1000-2016-444x444-300x300.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/YubiKey-4-1000-2016-444x444-320x320.png 320w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/YubiKey-4-1000-2016-444x444-130x130.png 130w\" sizes=\"auto, (max-width: 444px) 100vw, 444px\" \/><figcaption>YubiKey 4<\/figcaption><\/figure><\/div>\n\n\n\n<p>An advantage of this solution is that in order to log in, you need to plug in a hardware key to your USB drive. If you fail to do that, you will not be able to log in. At the same time, you do not need to rewrite one-time codes.<\/p>\n\n\n\n<p>Paid version of&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/1password.com\/\"><span>1Password<\/span><\/a> solved the problem of one-time passwords perfectly. The best thing about it is that the application is able to&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/support.1password.com\/one-time-passwords\/\"><span>automatically copy the one-time code to the clipboard when logging in<\/span><\/a>, which significantly facilitates the process of logging in.<\/p>\n\n\n\n<p>You should also consider the Two-Factor plugin, which is now under WordPress beta tests. It is possible it will be included in WordPress in the future.<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-plugin-directory\"><div class=\"wp-block-embed__wrapper\">\r\n<blockquote class=\"wp-embedded-content\" data-secret=\"OjgBixfVE6\"><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/two-factor\/\"><span>Two-Factor<\/span><\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Two-Factor&#8221; &#8212; Plugin Directory\" loading=\"lazy\" src=\"https:\/\/wordpress.org\/plugins\/two-factor\/embed\/#?secret=OjgBixfVE6\" data-secret=\"OjgBixfVE6\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\r\n<\/div><figcaption>Plugin for many 2FA methods.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"keep-wordpress-organized-by-removing-unnecessary-plugins-and-themes\"><\/span>Keep WordPress organized by removing unnecessary plugins and themes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Keeping your WordPress clean is a priority. Many intrusions into WordPress itself go through old, outdated or simply unused themes and plugins. Disabling them from the panel won\u2019t suffice, as they are still on the server and can be used to attack the site.<\/p>\n\n\n\n<p>Examples include&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/blog.sucuri.net\/2015\/05\/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html\"><span>a security gap<\/span><\/a>&nbsp;found in the default&nbsp;<strong>TwentyFifteen<\/strong> theme, which enabled a DOM-based Cross-Site Scripting (XSS) attack.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"494\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-1024x494.png\" alt=\"If you don\u2019t\u2019 use a given plugin, remove it. Smush is an example\" class=\"wp-image-7740\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-1024x494.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-600x290.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-1400x676.png 1400w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-768x371.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-1536x741.png 1536w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-960x463.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-300x145.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-900x434.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-130x63.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki.png 2002w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>If you don\u2019t\u2019 use a given plugin, remove it. Smush is an example.<\/figcaption><\/figure><\/div>\n\n\n\n<p>The same applies to the plugins\nthat you install. If you don&#8217;t use them anymore, or if you don&#8217;t need them,\nthey should be removed. It is also worth checking what plugins you have.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"277\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-1024x277.png\" alt=\"Ten most vulnerable WordPress plugins\" class=\"wp-image-7739\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-1024x277.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-600x162.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-1400x379.png 1400w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-768x208.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-1536x416.png 1536w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-960x260.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-300x81.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-900x243.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-130x35.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Ten most vulnerable WordPress plugins.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Keeping WordPress tidy also means&nbsp;deletion of unnecessary files&nbsp;that can be there after an upgrade. Theoretically, the update itself should handle this, but sometimes something may go wrong (e.g. lack of permission to delete files). We can then use&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/old-core-files\/\"><span>Old Core Files<\/span><\/a> plugin, which will show us unnecessary files. We have to delete them manually, e.g. via FTPs.<\/p>\n\n\n\n<p>If you want to keep your WordPress in order,&nbsp;<a href=\"https:\/\/thecamels.org\/en\/how-do-i-perform-a-periodic-review-of-wordpress\/\"><span>carry out its regular review<\/span><\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"change-wordpress-keys-to-your-own\"><\/span>Change WordPress keys to your own<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>There is a section with keys in the configuration file <strong>(wp-config.php<\/strong>). They are used for authorization and encryption, so it is worth making sure that each instance of WordPress has unique keys. It is dangerous to use the same keys on many pages.<\/p>\n\n\n\n<p>Some&nbsp;auto-installers use the same keys for each WordPress installed. This is what an example section with keys looks like:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define('AUTH_KEY',         'K-o@ox=|MExDm||^!U|Nre(i+.EFmZ`6cou*&amp;&gt;BQY&lt;zrr1rXD!m^uqFHUCC-&gt;S15');\ndefine('SECURE_AUTH_KEY',  'EFElQ!V?rx!A@zk^+ejg$:gPa1YG&amp;&amp;Jq;Y4cuo]tUY|iadh)K{QLPJzOB3;e+bt4');\ndefine('LOGGED_IN_KEY',    '.bm),ruw(dJM\/g|rhui-2y2EsB1o^y=PL!t}+,AsaK!6W;;@O-&#91;wh@&#91;\/OS(pMy@p');\ndefine('NONCE_KEY',        'Qv&gt;hS+}k1mKcHm`x-DV,{6=GB{jl&gt;oF#&gt;q?P|n#TmBZTEO&lt;kZ@By)N8,ravF!~q6');\ndefine('AUTH_SALT',        '=|V,SC$QJ &lt;U (?jq&lt;_gnx=.|-iVl^`HkH(aK48B`\/-QZH4XHnqm\/|}+&amp;sHauP,9');\ndefine('SECURE_AUTH_SALT', '9]k%Jnw)3Arb{IVR,&#91;bUBo+9X$8]}I)E}eU)yaW|1x?n~XYm3-c2r8FV*.JIj:8_');\ndefine('LOGGED_IN_SALT',   ' hF%.eP`b.*c8^QO\/y6RTR;3s0=:C_vdZ4&amp;&#91;&lt;VPx:P#a\/?7?;cnnfj1ims&amp;s5tez');\ndefine('NONCE_SALT',       '1,~PtYOW+2-8c}(MIqre~=lV8c{$ixnZTujjL(kb7-|(A))s-H*gy|nsP~2*OI7m');<\/code><\/pre>\n\n\n\n<p>The keys can be generated\nindependently on&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\"><span>api.wordpress.org<\/span><\/a>&nbsp;and used\nto replace those in the configuration file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disable-comments-if-they-are-unnecessary\"><\/span>Disable comments if they are unnecessary<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>What would a blog without comments be? However, there are websites based on WordPress that do not require a commentary system. Is such a case, it is worth disabling this function in order not to expose your website and server to attacks such as&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/en.wikipedia.org\/wiki\/Denial-of-service_attack\"><span>Denial of Service<\/span><\/a>.<\/p>\n\n\n\n<p>Deleting the code responsible for displaying comments in the theme will not suffice. They will still be available for robots or attackers. The possibility of commenting should be blocked for anonymous users, and turned off in connection with blocked registration.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"protect-yourself-against-enumeration-of-users\"><\/span>Protect yourself against enumeration of users<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Enumeration is a process of searching correct user accounts in a badly secured system. When acquiring a user, you have to hack his or her password, if the access to the panel is not protected by&nbsp;Base Auth&nbsp;or&nbsp;2FA. A protection code added to&nbsp;<strong>.htaccess<\/strong> can be used as the protection again enumeration:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>RewriteCond %{QUERY_STRING} ^author=(&#91;0-9]*)\nRewriteRule ^ \/? &#91;L,R=301]<\/code><\/pre>\n\n\n\n<p>However, the login may appear in\nsearch results or site maps provided by plugins. It is worth setting up a login\nother than a nickname, and using special characters.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"disable-debugging-mode\"><\/span>Disable debugging mode<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you are not working on the test environment, the debugging mode is redundant. Hiding the display of errors (if any), as they may reveal some information to the attacker, might also be a good idea. The easiest way to do this is to edit the&nbsp;<strong>wp-config.php<\/strong> file and change it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define('WP_DEBUG', false);<\/code><\/pre>\n\n\n\n<p>na:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define('WP_DEBUG', false);\nif ( ! WP_DEBUG ) {\n  ini_set('display_errors', 0);\n}<\/code><\/pre>\n\n\n\n<p>This will enable us to hide all\nerrors, even if the hosting company did not do it for us.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"providing-access-data-to-other-services-in-wordpress\"><\/span>Providing access data to other services in WordPress<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Many plugins ask us to provide access data or tokens to other services. It is important to be aware that if your website is not sufficiently secure, the data from other accounts (or even these accounts) may be taken over when your WordPress is hacked.<\/p>\n\n\n\n<p>These are two quite common types of such plugins:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>SMTP configuration plugins<\/strong> \u2013 one of the easiest ways to configure them is to provide access data to the e&#8209;mail account that will be used to send emails via WordPress. Such plugins are most often used where hosting does not allow the use of mail() function in PHP. Another reason for their use is the desire to reduce the risk that the mail sent via WordPress will be considered SPAM.<\/li><li><strong>Backup plugins<\/strong>. Keeping backups on the same server is definitely a bad idea. That\u2019s the reason why such plugins most often ask for access data or authorization tokens for external services such as Google Drive, Dropbox, FTP, etc. The plugins can be used in a variety of      ways.<\/li><\/ul>\n\n\n\n<p>The easiest way is to create separate accounts for specific needs:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>If you need to configure SMTP, create a dedicated e&#8209;mail account. Then the loss of such an account will not be too severe.<\/li><li>For backups, it is best to create a separate account in one of the services providing cloud data storage. In this case, it is also worth      taking care of a sufficiently strong password and the use of an additional authorization level (if the service provider offers such an authorization level).<\/li><\/ul>\n\n\n\n<p>Another solution is to ensure that WordPress itself is properly secured \u2013 that refers to additional authorization steps, regular updates, etc. Keep in mind that an unknown (undisclosed) security vulnerability can still lead to hacking your website. That\u2019s why having backups is so crucial.<\/p>\n\n\n\n<p>When storing data in plugins, one principle must be taken into account:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>All access data provided and saved in the configuration options of WordPress plugins should be treated as data exposed to disclosure as a result of an attack on your website.<\/p><cite>Tomasz Dziuda<\/cite><\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"block-access-to-xml-rpc\"><\/span>Block access to XML-RPC<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>If you do not use XML-RPC (pingback, mobile applications, Guteberg editor), you can restrict access to it or disable it completely with:<br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>function remove_xmlrpc_pingback_ping( $methods ) {\n  unset($methods&#91;'pingback.ping']);\n  unset($headers&#91;'X-Pingback']);\n  return $methods;\n}\nadd_filter('xmlrpc_enabled', '__return_false');\nadd_filter('xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );<\/code><\/pre>\n\n\n\n<p>or with .htaccess:<br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;Files xmlrpc.php&gt;\n  Order deny,allow\n  Deny from all\n&lt;\/Files&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"do-backups\"><\/span>Do backups<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Every hosting company does backups (maybe except for the one that did not). Hostings use various mechanisms to perform back-up. These can be incremental, differential, carried out on external matrices and so on. <a href=\"https:\/\/thecamels.org\/en\/duplicity-quick-and-easy-backup\/\"><span>Duplicity<\/span><\/a> is a great tool for that.<\/p>\n\n\n\n<p>If you wish to back up large databases, we recommend using e.g&nbsp;<a href=\"https:\/\/thecamels.org\/en\/simple-and-fast-database-backup-thanks-to-percona-xtrabackup\/\"><span>XtraBackup<\/span><\/a> which is triggered on&nbsp;<a href=\"https:\/\/thecamels.org\/en\/what-is-mysql-replication\/\"><span>database replication<\/span><\/a>. Such a solution does not burden production servers.<\/p>\n\n\n\n<p>However, it&#8217;s&nbsp;<strong>worth having your own backup<\/strong>, but not on the same server as the one you already have a website on. If the sever fails, you will also lose your back-ups. In the case of hosting, the time needed to backup your backups will last much longer.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"384\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-1024x384.png\" alt=\"Nearly 100 GB of backups created by the UpdraftPlus plugin.\" class=\"wp-image-7771\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-1024x384.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-600x225.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-1400x525.png 1400w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-768x288.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-1536x576.png 1536w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-960x360.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-300x113.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-900x338.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup-130x49.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/08\/backup.png 1999w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Nearly 100 GB of backups created by the UpdraftPlus plugin.<\/figcaption><\/figure>\n\n\n\n<p>Backups should be kept on an external server or a resource such as Google Drive, DropBox, OneDrive or Amazon S3. If the plugins are to send backups to external services,&nbsp;it is necessary to provide them with data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"what-is-not-worth-doing\"><\/span>What is not worth doing?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The list of recommendations you\ncan follow to increase WordPress security is really long. However, there are\nthings you should avoid doing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"security-plugins\"><\/span>Security plugins<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>These are all kinds of plugins providing security. They are usually huge, and give a false sense of security.<\/p>\n\n\n\n<p>If we look at the reports on the 10 most vulnerable plugins, these might be found on the list:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"277\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-1024x277.png\" alt=\"In the top ten we have: better-wp-security and wordfence.\" class=\"wp-image-7739\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-1024x277.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-600x162.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-1400x379.png 1400w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-768x208.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-1536x416.png 1536w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-960x260.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-300x81.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-900x243.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security-130x35.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/wtyczki-security.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>In the top ten we have: better-wp-security and wordfence.<\/figcaption><\/figure><\/div>\n\n\n\n<p>Please note that security is a\nprocess that takes some time and requires more effort than clicking on a button\nin the plugin panel.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"changing-default-paths\"><\/span>Changing default paths<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The default paths to plugin and themes resources are&nbsp;<strong>wp-content\/plugins<\/strong>&nbsp;and&nbsp;<strong>wp-content\/themes<\/strong> respectively. The paths and names of these directories can be changed by adding an entry to&nbsp;<strong>wp-config.php<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">define( 'WP_CONTENT_DIR', dirname(<strong>FILE<\/strong>) . '\/www\/multimedia' );<br>define( 'WP_CONTENT_URL', 'http:\/\/example.com\/www\/multimedia' );<\/pre>\n\n\n\n<p>Such a change will only result in that our website may not resemble WordPress to numerous simple web robots and will bypass it. However, this will not protect us from attacks on the vulnerabilities in these add-ons.<\/p>\n\n\n\n<p>Most plugins add Java Script or CSS files to our website, which makes it easy to check which directory they are in.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"hide-unnecessary-information-about-wordpress\"><\/span>Hide unnecessary information about WordPress<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Another thing you should not do is to hide information about the WordPress version you are using. Very often, tutorials focus on removing the&nbsp;<strong>generator<\/strong>&nbsp;tag from the site code. Such a change does not do much, since the attacker is not really interested in this tag. Internet worms do not pay attention to such data either. They simply scan the page and try to find a vulnerability.<\/p>\n\n\n\n<p>However, if we want to remove information about the version, we should block access to the&nbsp;<strong>readme.html<\/strong>&nbsp;file, for example by adding a rule to&nbsp;<strong>.htaccess<\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;FilesMatch \"readme.html\"&gt;<br>  Order allow,deny<br>  Deny from all<br>&lt;\/FilesMatch&gt;<br><br><\/pre>\n\n\n\n<p>Then delete the WordPress version:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">remove_action('wp_head', 'wp_generator');<br><\/pre>\n\n\n\n<p>We also hide versions in RSS, ATOM, comments, scripts, and so on.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">define('THE_CAMELS_FILE_VERSION', '0000001');<br>\nfunction rm_generator_filter() {<br>\n  return '';<br>\n}<br>\nif(!function_exists('thecamels_remove_wp_ver_css_js')) :<br>\n  function thecamels_remove_wp_ver_css_js($src) {<br>\n    if(strpos($src, 'ver=' . get_bloginfo( 'version'))) {<br>\n      $src = remove_query_arg( 'ver', $src );<br>\n    }<br>\n    if(!strpos($src, '?')) {<br>\n      $src .= '?ver=' . THE_CAMELS_FILE_VERSION;<br>\n    }<br>\n    return $src;<br>\n  }<br>\nendif;<br>\nadd_filter('the_generator', 'rm_generator_filter');<br>\nadd_filter('style_loader_src', 'thecamels_remove_wp_ver_css_js', 9999);<br>\nadd_filter('script_loader_src', 'thecamels_remove_wp_ver_css_js', 9999);<br>\nadd_filter('get_the_generator_html', 'rm_generator_filter');<br>\nadd_filter('get_the_generator_xhtml', 'rm_generator_filter');<br>\nadd_filter('get_the_generator_atom', 'rm_generator_filter');<br>\nadd_filter('get_the_generator_rss2', 'rm_generator_filter');<br>\nadd_filter('get_the_generator_comment', 'rm_generator_filter');<br>\nadd_filter('get_the_generator_export', 'rm_generator_filter');<br>\nadd_filter('wf_disable_generator_tags', 'rm_generator_filter');<\/pre>\n\n\n\n<p>This code could be written\nbetter, probably, so all suggestions are welcome.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"security-testing\"><\/span>Security testing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>If we want to go deeper into the subject of security related to WordPress, it is worth seeing&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wpvulndb.com\/statistics\"><span>WordPress Vulnerability Statistics<\/span><\/a>. These very interesting statistics show the elements of WordPress where security vulnerabilities are found.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"188\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-1024x188.png\" alt=\"General error statistics in WordPress.\" class=\"wp-image-7738\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-1024x188.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-600x110.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-1400x256.png 1400w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-768x141.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-1536x281.png 1536w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-960x176.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-300x55.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-900x165.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki-130x24.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/statystyki.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>General error statistics in WordPress.<\/figcaption><\/figure>\n\n\n\n<p>Information about errors can be found on one of the exploit aggregators, e.g&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.exploit-db.com\/\"><span>exploit-db.com<\/span><\/a>.<\/p>\n\n\n\n<p>When it comes to testing WordPress security, you can use a tool such as&nbsp;<a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wpscan.org\/\"><span>WPScan<\/span><\/a>. Before each run, it is advisable to update its database with the following command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wpscan --update<\/pre>\n\n\n\n<p>Website testing is quite simple:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wpscan --url http:\/\/moja-strona-domowa.pl<\/pre>\n\n\n\n<p>We can also use such scanners as:&nbsp;Detectify,&nbsp;Security Ninja,&nbsp;Acunetix or Sucuri.<\/p>\n\n\n\n<p><strong>Plugin Inspector<\/strong> might also be interesting \u2013 it generates a report on the safety of plugins.<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-plugin-directory\"><div class=\"wp-block-embed__wrapper\">\r\n<blockquote class=\"wp-embedded-content\" data-secret=\"7BmK4RRRX8\"><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/plugin-inspector\/\"><span>Plugin Inspector<\/span><\/a><\/blockquote><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Plugin Inspector&#8221; &#8212; Plugin Directory\" loading=\"lazy\" src=\"https:\/\/wordpress.org\/plugins\/plugin-inspector\/embed\/#?secret=7BmK4RRRX8\" data-secret=\"7BmK4RRRX8\" width=\"600\" height=\"338\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\r\n<\/div><\/figure>\n\n\n\n<p>We will see the code fragments\nthat are&nbsp;<strong>OK<\/strong>,&nbsp;<strong>Unsafe<\/strong>&nbsp;or&nbsp;<strong>Deprecated<\/strong>, all\npresented in a simple way. The Unsafe status shows those code elements that are\nsuspicious and potentially dangerous. That might not be necessarily the case,\nbut it&#8217;s worth looking at the code fragment.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"364\" src=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector-1024x364.png\" alt=\"Plugin Inspector\" class=\"wp-image-7742\" srcset=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector-1024x364.png 1024w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector-600x213.png 600w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector-768x273.png 768w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector-960x341.png 960w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector-300x107.png 300w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector-900x320.png 900w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector-130x46.png 130w, https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/plugin-inspector.png 1260w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Example of operation of the Inspector plugin.<\/figcaption><\/figure>\n\n\n\n<p>The&nbsp;<strong>Deprecated<\/strong>&nbsp;status shows outdated functions and plugin code fragments. Over time, they will be removed from WordPress or PHP itself and the plugin may stop working. In such a situation, it is worth considering an update.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>WordPress hardening&nbsp;is often a complex process. It requires time and understanding of certain elements. We cannot be always 100% sure whether we have managed to protect our website against everything (e.g. <a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/en.wikipedia.org\/wiki\/Zero-day_(computing)\"><span>0-day<\/span><\/a> attacks). However, taking these or other steps will surely minimize the level of risk.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-videopress wp-block-embed-videopress wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Kamil Porembi\u0144ski: Jak NIE zabezpiecza\u0107 WordPressa\" width='1400' height='788' src='https:\/\/video.wordpress.com\/embed\/otaLZ3yo?hd=1' frameborder='0' allowfullscreen><\/iframe><script src='https:\/\/v0.wordpress.com\/js\/next\/videopress-iframe.js?m=1435166243'><\/script>\n<\/div><figcaption>How NOT to secure WordPress?<\/figcaption><\/figure>\n\n\n\n<p>I am really glad you managed to\nreach the end. But that\u2019s not all. I have more security-related links for you.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"other-interesting-materials-about-wordpress-security-in-polish\"><\/span>Other interesting materials about WordPress security (in Polish):<br><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Presentations:<ul><li><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.youtube.com\/watch?v=sKCRUBhiusY\">WordUp\n      Tr\u00f3jmiasto #6 \u2013 Krzysztof Dr\u00f3\u017cd\u017c. Why does this malware keep coming back?<\/a><\/li><li><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.youtube.com\/watch?v=g8AZxpC69so\">WordUp\n      Krak\u00f3w #autumn 2015 \u2013 Krzysztof Dr\u00f3\u017cd\u017c. Safe code \u2013 three slightly more\n      difficult elements<\/a><\/li><li><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.youtube.com\/watch?v=3-NWCeDDXbo\">Krzysztof\n      Dr\u00f3\u017cd\u017c:<\/a><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/www.youtube.com\/watch?v=3-NWCeDDXbo\"> Myths of\n      (non)safety<\/a><\/li><\/ul><\/li><li>Articles:<ul><li><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wpzen.pl\/jak-zabezpieczyc-wp-login-php-przed-atakami-brute-force\/\">How to\n      protect the wp-login.php file against brute force attacks<\/a><\/li><li><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/wpzen.pl\/zabezpieczanie-wordpressa-podstawy\/\">WordPress\n      hardening: basics<\/a><\/li><li><a target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/sekurak.pl\/jak-zabezpieczyc-wordpress-poradnik-krok-po-kroku\/\">How to\n      secure WordPress? A step-by-step guide<\/a><\/li><\/ul><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>WordPress&nbsp;is one of the most popular CMSs in the world. Depending on the statistics, it runs from several to even dozens millions of websites. The increasing popularity of WordPress in Poland translates into the growth of number of the associated attacks. Many of them can be prevented by securing the given website with simple steps.&hellip;<\/p>\n","protected":false},"author":1,"featured_media":17246,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[150],"tags":[706,698,685],"class_list":["post-9103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-basics","tag-security","tag-wordpress-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Compendium: how to secure your WordPress? - Thecamels.org<\/title>\n<meta name=\"description\" content=\"Wondering how to secure WordPress well? With our comprehensive guide you will do it as well as possible. Check it out!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Compendium: how to secure your WordPress? - Thecamels.org\" \/>\n<meta property=\"og:description\" content=\"Wondering how to secure WordPress well? With our comprehensive guide you will do it as well as possible. Check it out!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/?utm_source=dark&amp;utm_medium=social&amp;utm_campaign=open-graph\" \/>\n<meta property=\"og:site_name\" content=\"Thecamels.org\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/thecamels.org\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-07-03T20:30:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-06-13T17:24:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/43-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"627\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kamil Porembi\u0144ski\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/43-1.png\" \/>\n<meta name=\"twitter:creator\" content=\"@thecamelsorg\" \/>\n<meta name=\"twitter:site\" content=\"@thecamelsorg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kamil Porembi\u0144ski\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"32 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/\"},\"author\":{\"name\":\"Kamil Porembi\u0144ski\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#\\\/schema\\\/person\\\/b7bd2aec5f506a68323eb40c86d38a32\"},\"headline\":\"Compendium: how to secure your WordPress?\",\"datePublished\":\"2018-07-03T20:30:59+00:00\",\"dateModified\":\"2021-06-13T17:24:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/\"},\"wordCount\":6645,\"publisher\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/thecamels.org\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/44-1.png\",\"keywords\":[\"basics\",\"security\",\"wordpress\"],\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/\",\"url\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/\",\"name\":\"Compendium: how to secure your WordPress? - Thecamels.org\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/thecamels.org\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/44-1.png\",\"datePublished\":\"2018-07-03T20:30:59+00:00\",\"dateModified\":\"2021-06-13T17:24:00+00:00\",\"description\":\"Wondering how to secure WordPress well? With our comprehensive guide you will do it as well as possible. Check it out!\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/#primaryimage\",\"url\":\"https:\\\/\\\/thecamels.org\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/44-1.png\",\"contentUrl\":\"https:\\\/\\\/thecamels.org\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/44-1.png\",\"width\":1200,\"height\":627,\"caption\":\"Kompendium: Jak zabezpieczy\u0107 WordPressa?\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/compendium-how-to-secure-your-wordpress\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"[HOME]\",\"item\":\"https:\\\/\\\/thecamels.org\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/thecamels.org\\\/en\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Compendium: how to secure your WordPress?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/thecamels.org\\\/en\\\/\",\"name\":\"Thecamels.org\",\"description\":\"Hosting SSD NVMe z certyfikatem SSL i HTTP\\\/2. Administracja serwerami, skalowanie infrastruktury. Mamy g\u0142ow\u0119 do serwer\u00f3w i zadbamy o Twoj\u0105 stron\u0119 w sieci.\",\"publisher\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/thecamels.org\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#organization\",\"name\":\"Thecamels\",\"url\":\"https:\\\/\\\/thecamels.org\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/thecamels.org\\\/wp-content\\\/uploads\\\/2018\\\/09\\\/TC-logo-nowe.png\",\"contentUrl\":\"https:\\\/\\\/thecamels.org\\\/wp-content\\\/uploads\\\/2018\\\/09\\\/TC-logo-nowe.png\",\"width\":826,\"height\":106,\"caption\":\"Thecamels\"},\"image\":{\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/thecamels.org\\\/\",\"https:\\\/\\\/x.com\\\/thecamelsorg\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/the-camels\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC01xYBZbIAApTuPWuqgGE4Q\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/thecamels.org\\\/en\\\/#\\\/schema\\\/person\\\/b7bd2aec5f506a68323eb40c86d38a32\",\"name\":\"Kamil Porembi\u0144ski\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4b2d40949e6453ecdd7663e9a61fac171f31810a28bdc5be0c4d7eca89f41571?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4b2d40949e6453ecdd7663e9a61fac171f31810a28bdc5be0c4d7eca89f41571?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4b2d40949e6453ecdd7663e9a61fac171f31810a28bdc5be0c4d7eca89f41571?s=96&d=identicon&r=g\",\"caption\":\"Kamil Porembi\u0144ski\"},\"description\":\"Architekt systemowy, administrator Linux, a czasem Windows. Lubi tematyk\u0119 security. Obecnie w\u0142a\u015bciciel firmy thecamels.org, zajmuj\u0105cej si\u0119 projektowaniem system\u00f3w o wysokiej dost\u0119pno\u015bci. Zajmuje si\u0119 skalowaniem du\u017cych aplikacji internetowych, wspieraniem startup\u00f3w w kwestiach serwerowych. Po godzinach zajmuje si\u0119 \u017ceglowaniem po morzach, lataniem, fotografi\u0105 i podr\u00f3\u017cami.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Compendium: how to secure your WordPress? - Thecamels.org","description":"Wondering how to secure WordPress well? With our comprehensive guide you will do it as well as possible. Check it out!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/","og_locale":"en_US","og_type":"article","og_title":"Compendium: how to secure your WordPress? - Thecamels.org","og_description":"Wondering how to secure WordPress well? With our comprehensive guide you will do it as well as possible. Check it out!","og_url":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/?utm_source=dark&utm_medium=social&utm_campaign=open-graph","og_site_name":"Thecamels.org","article_publisher":"https:\/\/www.facebook.com\/thecamels.org\/","article_published_time":"2018-07-03T20:30:59+00:00","article_modified_time":"2021-06-13T17:24:00+00:00","og_image":[{"width":1200,"height":627,"url":"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/43-1.png","type":"image\/png"}],"author":"Kamil Porembi\u0144ski","twitter_card":"summary_large_image","twitter_image":"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/43-1.png","twitter_creator":"@thecamelsorg","twitter_site":"@thecamelsorg","twitter_misc":{"Written by":"Kamil Porembi\u0144ski","Est. reading time":"32 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#article","isPartOf":{"@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/"},"author":{"name":"Kamil Porembi\u0144ski","@id":"https:\/\/thecamels.org\/en\/#\/schema\/person\/b7bd2aec5f506a68323eb40c86d38a32"},"headline":"Compendium: how to secure your WordPress?","datePublished":"2018-07-03T20:30:59+00:00","dateModified":"2021-06-13T17:24:00+00:00","mainEntityOfPage":{"@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/"},"wordCount":6645,"publisher":{"@id":"https:\/\/thecamels.org\/en\/#organization"},"image":{"@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#primaryimage"},"thumbnailUrl":"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/44-1.png","keywords":["basics","security","wordpress"],"articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/","url":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/","name":"Compendium: how to secure your WordPress? - Thecamels.org","isPartOf":{"@id":"https:\/\/thecamels.org\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#primaryimage"},"image":{"@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#primaryimage"},"thumbnailUrl":"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/44-1.png","datePublished":"2018-07-03T20:30:59+00:00","dateModified":"2021-06-13T17:24:00+00:00","description":"Wondering how to secure WordPress well? With our comprehensive guide you will do it as well as possible. Check it out!","breadcrumb":{"@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#primaryimage","url":"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/44-1.png","contentUrl":"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/07\/44-1.png","width":1200,"height":627,"caption":"Kompendium: Jak zabezpieczy\u0107 WordPressa?"},{"@type":"BreadcrumbList","@id":"https:\/\/thecamels.org\/en\/compendium-how-to-secure-your-wordpress\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"[HOME]","item":"https:\/\/thecamels.org\/en\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/thecamels.org\/en\/blog\/"},{"@type":"ListItem","position":3,"name":"Compendium: how to secure your WordPress?"}]},{"@type":"WebSite","@id":"https:\/\/thecamels.org\/en\/#website","url":"https:\/\/thecamels.org\/en\/","name":"Thecamels.org","description":"Hosting SSD NVMe z certyfikatem SSL i HTTP\/2. Administracja serwerami, skalowanie infrastruktury. Mamy g\u0142ow\u0119 do serwer\u00f3w i zadbamy o Twoj\u0105 stron\u0119 w sieci.","publisher":{"@id":"https:\/\/thecamels.org\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/thecamels.org\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/thecamels.org\/en\/#organization","name":"Thecamels","url":"https:\/\/thecamels.org\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/thecamels.org\/en\/#\/schema\/logo\/image\/","url":"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/09\/TC-logo-nowe.png","contentUrl":"https:\/\/thecamels.org\/wp-content\/uploads\/2018\/09\/TC-logo-nowe.png","width":826,"height":106,"caption":"Thecamels"},"image":{"@id":"https:\/\/thecamels.org\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/thecamels.org\/","https:\/\/x.com\/thecamelsorg","https:\/\/www.linkedin.com\/company\/the-camels","https:\/\/www.youtube.com\/channel\/UC01xYBZbIAApTuPWuqgGE4Q"]},{"@type":"Person","@id":"https:\/\/thecamels.org\/en\/#\/schema\/person\/b7bd2aec5f506a68323eb40c86d38a32","name":"Kamil Porembi\u0144ski","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4b2d40949e6453ecdd7663e9a61fac171f31810a28bdc5be0c4d7eca89f41571?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4b2d40949e6453ecdd7663e9a61fac171f31810a28bdc5be0c4d7eca89f41571?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4b2d40949e6453ecdd7663e9a61fac171f31810a28bdc5be0c4d7eca89f41571?s=96&d=identicon&r=g","caption":"Kamil Porembi\u0144ski"},"description":"Architekt systemowy, administrator Linux, a czasem Windows. Lubi tematyk\u0119 security. Obecnie w\u0142a\u015bciciel firmy thecamels.org, zajmuj\u0105cej si\u0119 projektowaniem system\u00f3w o wysokiej dost\u0119pno\u015bci. Zajmuje si\u0119 skalowaniem du\u017cych aplikacji internetowych, wspieraniem startup\u00f3w w kwestiach serwerowych. Po godzinach zajmuje si\u0119 \u017ceglowaniem po morzach, lataniem, fotografi\u0105 i podr\u00f3\u017cami."}]}},"_links":{"self":[{"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/posts\/9103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/comments?post=9103"}],"version-history":[{"count":5,"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/posts\/9103\/revisions"}],"predecessor-version":[{"id":24622,"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/posts\/9103\/revisions\/24622"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/media\/17246"}],"wp:attachment":[{"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/media?parent=9103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/categories?post=9103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecamels.org\/en\/wp-json\/wp\/v2\/tags?post=9103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}