Best recommendations to protect your WordPress website

WordPress is a free, open-source content management system used to create and manage websites without needing much coding (WordPress.com: Everything You Need to Build Your Website).

The tool let you build (The Build websites, write blog posts, Design pages, Manage content easily) from a dashboard.

WordPress itself is secure, but poor setup such as (Weak passwords, Outdated plugins and others) can make a site vulnerable which leads to the threat actors targeting your website.

To prevent it, we need to follow some recommendations. Let’s have a look at them.

Recommendations:

• Update WordPress core, themes regularly
• Auto update for the plugin or regularly scan to detect any vulnerability
• Delete unused plugins, themes
• Use long, unique passwords not reused anywhere
• Change the default “admin” username
• Enable 2FA (two-factor authentication)
• Block malicious traffic
• Limit login attempts
• Install an SSL certificate such as Let’s Encrypt
• Daily or weekly backups
• DDOS protection plugin
• Maintenance windows plugin
• Plugin to accept or refuse the usage of Cookies
• Banner for GDPR or Privacy plugin
• Reduce brute-force attacks on your WordPress site by hiding wp-login.php changing the login URL so bots can’t easily find it.
• Store backups off-site
• Change default database prefix for example mywebsite.com/wp-admin to mywebsite.com/change
• Restrict file permissions:
• wp-config.php contains your database credentials, security keys, and sensitive settings, so it should be protected by following the recommendations:
• Move wp-config.php outside web root
• Add .htaccess protection
• Set permissions to 400/440
• Disable file editing plugin if not needed
• Disable XML-RPC if not needed
• Hide WordPress version
• Use a Web Application Firewall
• Hide all the webpage or make them not accessible for example
• Add to robots.txt. For example:

User-agent: *
Disallow: /

Or

Block access via .htaccess:

Order Deny,Allow

Deny from all

Allow from YOUR_IP

 

• Protecting phpMyAdmin is critical because if someone gets access, they can control your entire WordPress database (users, passwords, content, everything).
• Change or hide phpMyAdmin URL:

Default URLs:

/phpmyadmin
/pma
/mysql

 

Like you see, they are many configurations and settings to implement to make your WordPress website more secure. Be aware that security should be the first step to start your WordPress journey.