Basic Security Guide for your WordPress Blog or Website

No bullshit, direct to the point.

  1. Prefer the manual installation of wordpress.
  2. Change default DB Table Prefix from wp to something else like xyzwp. This can be done through wp-config.php file before installation.
  3. Replace the default secret key text in wp-config file.
  4. Keep file permissions as 644
  5. Configure .htaccess file for better security
  6. Move the wp-config.php file to the root than the public_html folder
  7. Block user access to wp-includes folder using htaccess file
  8. DisableTheme’s PHP Files Editing, add following line in wp-config.php
    Disable File Editing, add following line in wp-config.php
  9. Block access to wp-config file using htaccess
    .htaccess file:
    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>
  10. Always keep your WordPress up to date. Install the latest upgrade as soon as the upgrade is released.
  11. Always update the plugins you are using.
  12. Deactivate and Remove the plugins that are not in use.
  13. Prefer to use plugins with good reviews (in terms of quality as well as quantity)
  14. Do not use plugins which have not being used by, or which have not been tested properly.
  15. Backup your files and database from time to time. You can use plugins to automate this. Backups can be stored on server or dropbox
  16. Avoid using the default username (example: admin, etc.). If already created create another account and delete default admin account
  17. Always use a strong password.
  18. Keep an eye on “Latest Visitors” in the Web Server’s log files for catching potential attacks. Never consider your log files just a piece of information. It is highly useful in tracking and monitoring the users.
  19. Keep changing your all passwords like FTP, WP-Admin, hosting etc from time to time.
  20. Keep your own system (PC, Laptop, etc.) virus free.
  21. Always try accessing the site credentials from your own system only.

Some useful plugins for security:

  1. Akismet
  2. Backup Plugins
  3. Wordfence Plugin
  4. Better WP Security
  5. WP Security Scan
  6. Limit Login Attempts
  7. Google Authenticator (2-Factor Authentication)
  8. Stealth Login Page
  9. from within the WordPress admin, which is very handy.