Secret recipe for WordPress Security

WordPress is the largest platform in the internet. It is used by more than 30% of the total websites. Everyday 2 millions of people are talking about WordPress and At least 100k people are troubleshooting WordPress sites.

It is very likely that a WordPress site can get hacked because of this large number of community involvement. WordPress core itself is very secured, provided when it is updated.

A non-updated WordPress site can be hacked within 10 days of new version release.

Need peace of mind? Get your WordPress site secured today. Secure your site in the best possible way-

  1. Keep a backup of your site. Not a zip file on your hosting server file manager. Never do it, it risky.
  2. Update WordPress core regularly. Never leave your WordPress site get updated automatically. It might or would definitely break your site at one point. If you are a developer then you will never do it.
  3. Update all the plugins and remove any unused plugins. Don’t keep a plugin which is not maintained anymore. Lets say a plugin was build with php 5.6 code. Now the designer of the plugin does not maintain it anymore. On the other hand your site running on php 7.2. The old plugin will spread bugs in your whole website. Replace this kind of plugin with an alternative.
  4. Change WordPress login credentials. Remove any username like admin, admin’s name or author’s name or site’e name. Replace these name with some names that is less related your site’s name or author’s name.
  5. Change database prefix.
  6. Change file and directory permissions
  7. Turn-off XML RPC pingbacks
  8. Block author scans
  9. Take care of bot and hotlink protection
  10. Remove file editing permission from inside the WordPress dashboard.
  11. Remove adding plugins and themes from inside the WordPress dashboard.
  12. Force SSL within WordPress admin area. https://www.example.com/wp-admin
  13. Protect domain, server and site spamming by filtering emails, implementing form recaptcha, configuring SMTP server and anti-spamming protection.
  14. Change .htaccess and wp-config.php permissions. Wp-config permissions can be r– — — (only owner can read it)
  15. Deny database connection from remote IP. Lock it from the cpanel. Only give access to some known and trusted IPs.
  16. Change the site security and configuration keys in wp-config.php file.
  17. Change wp-config.php database connection rules. Split the logic for localhost, staging server and live server.
  18. To prevent the least common type of attack, change the name of the theme and make it a custom theme.

Do you want to appoint a WordPress security expert? Send me a Note. I will reply with a quote.

Leave a Reply