Secure WordPress

The good news is that WordPress has automatic background updates and they are enabled by default. Please check the article from the official WordPress codex on how to configure automatic background updates and take care that your WordPress core, plugins and even themes are always up-to-date.

# Protect against bots

WordPress often gets targeted by bots, trying to access wp-login.php and xmlrpc.php. Blocking access to these files will increase stability and security.

# Sending e-mails

You cannot use sendmail on fortrabbit but you can use a SMTP plugin like WP SMTP or MAIL SMTP to enable SMTP support for the wp_mail() function.

# Resetting your password for wp-admin

Some users might be too lazy to configure the mail delivery for WordPress via SMTP (see above). Now imagine they also forget the password for wp-admin. Without email, the forgot password function from WordPress will not work. The user can still set a new password in the database. Like so:

1. Connect to the remote MySQL database from local
2. Browse the MySQL tables to find the right admin user
3. Choose a safe password
4. Convert that password to a MD5 hash
5. Update the table with the new password
6. Go back to wp-admin and login using the new password

# Running WordPress in a sub folder

There are two reasons to install WordPress in a sub directory instead of in htdocs:

1. WordPress is just the blog-part of the website: mydomain.com/blog
2. You want to run multiple WordPress sites in one environment. Please don't.

You can achieve the first option by putting WordPress in a folder and by changing the "Site Address URL" parameter (see above). Also see the official WordPress codex on how to give WordPress it's own directory.