Overrated WP Security Tips

overrated wp security tipsWordPress security tips abound.  As of the date of this post a Google search on the phrase “wordpress security tips” returns over 36,000 results. I give my list of essential security practices in another post. Certain other tips are overrated, providing little in the way of practical security benefits. Full disclosure, I practice some of these anyway.

  • Secret admin user name: I use a public nickname to hide my admin user name. In theory this improves login security since a hacker has to guess both my username and password rather than just the latter. In practice the benefit is minor. Any determined hacker will uncover my user name using easily available techniques, or perhaps obtain it from Wordfence.
  • Hide WP version information: If a hacker determines I am using an old version of WordPress, he or she can exploit known vulnerabilities of that particular version. In theory I can make this more difficult by blocking access to readme.html and license.txt, and removing version information from my site’s metadata. However, like my admin user name, a determined hacker will quickly ascertain my version information in spite of my precautions. An obvious and much better solution is to keep my WP version up to date.
  • Change the database table prefix: Whenever I install WordPress, I make a point to change the database table prefix from the default ‘wp_’.  In theory this makes it harder for an attacker who has gained access to my database to guess the table names. But if an attacker has gained access to my database, I’m already screwed. Making things slightly more difficult for the attacker is very unlikely to help me at that point.
  • Move wp-config.php file above my web root: This frequently-recommended security measure would protect my wp-config.php file from disclosure in the rare event that PHP becomes disabled on my site, causing my web server to serve php files as plain text. I can instead mitigate that low-probability but high-impact risk by a simple addition to my .htaccess file:

    <files wp-config.php>
    order allow,deny
    deny from all

    Some experts still argue in favor of moving the wp-config.php file, on the grounds that if PHP and htaccess were simultaneously disabled, and yet somehow my site was otherwise available and working just fine, my wp-config.php file could still be exposed. Seems far fetched to me. Also, moving wp-config.php sometimes requires a server configuration change that actually increases exposure risk of certain other secure files.

  • Overpay for hosting: Another common WP security tip is to use the best hosting you can afford, after all you get what you pay for. Well, not always. My preference is to use the most affordable hosting I can find that meets my requirements. It also depends on the nature of the site and my risk tolerance. I want rock-solid reliability for a business site, but for a just-for-fun personal site I might rather save a few bucks. I go into a bit more detail about this in another post.
  • Delete all unused themes: This tip is well-meaning, it just goes a bit too far. In addition to my active child theme, I need to keep its parent theme installed. Also, the current default twenty-something theme for fall-back/troubleshooting.

WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.