No bullshit, direct to the point.
- Prefer the manual installation of wordpress.
- Change default DB Table Prefix from wp to something else like xyzwp. This can be done through wp-config.php file before installation.
- Replace the default secret key text in wp-config file.
- Keep file permissions as 644
- Configure .htaccess file for better security
- Move the wp-config.php file to the root than the public_html folder
- Block user access to wp-includes folder using htaccess file
- DisableTheme’s PHP Files Editing, add following line in wp-config.php
Disable File Editing, add following line in wp-config.php
- Block access to wp-config file using htaccess
deny from all
- Always keep your WordPress up to date. Install the latest upgrade as soon as the upgrade is released.
- Always update the plugins you are using.
- Deactivate and Remove the plugins that are not in use.
- Prefer to use plugins with good reviews (in terms of quality as well as quantity)
- Do not use plugins which have not being used by, or which have not been tested properly.
- Backup your files and database from time to time. You can use plugins to automate this. Backups can be stored on server or dropbox
- Avoid using the default username (example: admin, etc.). If already created create another account and delete default admin account
- Always use a strong password.
- Keep an eye on “Latest Visitors” in the Web Server’s log files for catching potential attacks. Never consider your log files just a piece of information. It is highly useful in tracking and monitoring the users.
- Keep changing your all passwords like FTP, WP-Admin, hosting etc from time to time.
- Keep your own system (PC, Laptop, etc.) virus free.
- Always try accessing the site credentials from your own system only.
Some useful plugins for security:
- Backup Plugins
- Wordfence Plugin
- Better WP Security
- WP Security Scan
- Limit Login Attempts
- Google Authenticator (2-Factor Authentication)
- Stealth Login Page
- from within the WordPress admin, which is very handy.