Secure WordPress
Reviewedbyfl
Markdown ↓WordPress security: keep your core, plugins, and themes automatically updated. Enable background updates to stay protected against evolving threats.
The good news is that WordPress has automatic background updates and they are enabled by default. Please check the article from the official WordPress codex on how to configure automatic background updates and take care that your WordPress core, plugins and even themes are always up-to-date.
Protect against bots
WordPress often gets targeted by bots, trying to access wp-login.php and xmlrpc.php. Blocking access to these files will increase stability and security.
Sending e-mails
You cannot use sendmail on fortrabbit but you can use a SMTP plugin like WP SMTP or WP Mail SMTP to enable SMTP support for the wp_mail() function. See also: email integration guides.
Resetting the wp-admin password
If WordPress cannot send email via SMTP (see above), the "Lost your password?" recovery flow will not work. Reset the password another way.
The recommended method is WP-CLI over an SSH connection. It hashes the new password with the current WordPress algorithm:
wp user update admin --user_pass="a-strong-new-password"
Replace admin with the account's user login or email address.
As a fallback, set the password directly in the database. WordPress accepts an MD5 hash in the user_pass column for backward compatibility and re-hashes it with the current algorithm on the next successful login:
- Connect to the remote MySQL database from local
- Find the account in the
wp_userstable - Set
user_passto the MD5 hash of a safe new password - Log in to wp-admin, which upgrades the stored hash automatically
Running WordPress in a sub folder
There are two reasons to install WordPress in a sub directory instead of in htdocs:
- WordPress is just the blog-part of the website:
mydomain.com/blog - You want to run multiple WordPress sites in one environment. Please don't.
You can achieve the first option by putting WordPress in a folder and by changing the "Site Address URL" parameter (see above). Also see the official WordPress codex on how to give WordPress its own directory.