Re: How to secure WordPress, WordPress Directory and file permissions
WordPress can be a secure blog however an altering from the recommended file permission settings can leave your site open to getting hacked. It will happen, you will get hacked if you have directories set to 777.
To change file and directory permissions you can use any FTP application or even the Plesk File Manager.
By default all WordPress folders should have a chmod of 755 to help with accessing and executing the sub folder files. Most of the time, the installers mark all folders 755 which is the right setting but it is worth checking.
WordPress Files
All files starting with ‘wp-‘ (apart from the exceptions below) should be set to 644.
WordPress Directories
All directories starting with ‘wp-‘ (apart from the exceptions below) should be set to 755.
wp-config.php
The wp-config.php file is very important, the best setting for this file is 640.
.htaccess
The .htaccess file should be set to 644 as 640 would be too restrictive.
robots.txt
This file is important and should be set to 755 in order to allow search engines full access.
Hardening /wp-includes scripts
For additional protection, prevent scripts from running where they should not be for any user by adding the following entry to your WordPress .htaccess file:
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
Update your Plugins
The majority of vulnerabilities are a result of insecure and outdated plugins. It is absolutely essential that you ensure you are running the latest versions of all plugins. Many plugin updates are released to close known vulnerabilities.
Further securing your WordPress blog
You can further secure your WordPress blog by reading 7 easy ways to secure WordPress