- Ensure that all connections (wp-admin, cpanel) are running on HTTPS
- Use strong password. e.g.
n*S*Vx7az$k'ubA)
(Check strength) - Use secure hosting platform. e.g. Bluehost, Siteground
- Always update to latest version of PHP
- Check if the plugin is vulnerable before installing it
- Always update to latest version of all plugins
- Use auto backup tool. e.g. (UpdraftPlus)
- Add security plugins: Sucuri, Wordfence, JetPack
- Do not use username
admin
- Limit access to vulnerable directories and sensitive files. e.g.
/wp-content/uploads/
Show code
File: .htaccess
# Disallow code execution
<Files *.php>
deny from all
</Files>
- Limit login attempts (how to)
- Disable directory browsing
Show code
File: .htaccess
# Add at the end of file
Options -Indexes
- Disable Theme and Plugin Editors
Show code
File: wp-config.php
// Disallow file edit
define( 'WP_AUTO_UPDATE_CORE', true );
define( 'DISALLOW_FILE_EDIT', true );
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_translation', '__return_true' );
- Use Two factor authentication plugin
- Disable XML-RPC
Show code
File: .htaccess
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>