
WordPress Security can be hardened, simply by increasing the degree of difficulty to hack.
WordPress Security Tips
- Host your blog with a reputed host.
- Always Keep WordPress Updated.
- Use secure themes, and make sure you regularly update them.
- Delete unused WordPress themes.
- If not required disable new user registration.
- Make your nickname different than WordPress login username.
- Change WordPress “Display name publicly as” to something different than login username.
- Use long complex password for WordPress login.
- Create new WordPress administrator with login username other than “admin”.
- To avoid brute force attack, create new WordPress login page.
- Disable WordPress login hints in login error messages.
- Remove lost password link from WordPress login, if not required.
- Redirect failed WordPress login to homepage.
- Redirect lost password link to homepage.
- Disable XML-RPC completely if you do not connect to external service.
- Plugins are the biggest reason WordPress sites get hacked.
- Make minimum use of WordPress plugins.
- Delete unused WordPress plugins.
- Always keep plugins updated.
- Create WordPress Blog Specific Plugin for code snippets specific to your site.
- Change WordPress database table prefix from the default wp_ to avoid SQL injection attack.
- Change WordPress user ID to hide login username from your-site.com/?author=1 which redirects to author url [your-site.com/author/username/].
- Change WordPress Author URL Base, and Slug (user_nicename).
- Keep a log of WordPress Database and PHP errors.
- Enable HTTPS.
- Remove unnecessary server response headers like Server, X-Powered-By, X-backend, etc…
- Enable HTTP Strict Transport Security (HSTS) header.
- Enable Content Security Policy.
- Enable XSS protection.
- Enable referrer policy.
- Only allow authorized applications to access WordPress Rest API.
- Block global access to readme, license, quickstart, and changelog file.
- Activate web application firewall to filter traffic.
- Always use SFTP or SSH to connect to server.
- Disable directory listing for WordPress files and folders.
- Disable PHP execution in WordPress uploads directory.
- Enable TLS 1.3.
- Disable direct access to your server IP.
- Always keep your server OS and other software’s updated.
Tips for Optimal WordPress Security
- Host you site with Managed WordPress Hosting company.
- Powered by LiteSpeed Web Server.
- Add Jetpack Plugin or Cloudflare Access.
- Enable external firewall and DDoS service.
Aim of the above guide is to minimize loopholes, and secure WordPress website from hackers.
Moral of the Story
Prevention is better than cure.