WordPress Security Fundamentals
Core Access Protection
-
- Strong Passwords & Usernames: Avoid default usernames like “admin”. Use long, unique passphrases (15+ characters) with a mix of symbols and cases.
- Two-Factor Authentication (2FA): Mandatory for administrative accounts to block unauthorized access even if passwords are leaked.
- Limit Login Attempts: Use plugins like Wordfence to limit login attempts reloaded to temporarily block IP addresses after 3–5 failed attempts.
- Custom Login URL: Move your login page from
/wp-adminto a unique URL (e.g.,/my-secret-entry) using plugins like WPS Hide Login to avoid automated brute-force bots.
2Software & Maintenance
-
- Enable Auto-Updates: Configure WordPress to automatically update core files, themes, and plugins to immediately patch known vulnerabilities.
- The “Rule of Least Privilege”: Only grant the minimum necessary permissions to users (e.g., use the “Contributor” role for guest writers rather than “Edir” or “Admin”).
- Remove Unused Extensions: Delete any inactive themes or plugins; even if deactivated, their files can still be exploited.
Technical Hardening
-
- SSL/HTTPS: Always ensure your site has a valid SSL certificate to encrypt data transmission between users and the server.
- Web Application Firewall (WAF): Implement a firewall (e.g., via Cloudflare or Sucuri) to filter out malicious traffic before it reaches your site.
- Secure File Permissions: Set folders to
755and files to644. For sensitive files likewp-config.php, use stricter600or400permissions. - Disable File Editing: Add
define('DISALLOW_FILE_EDIT', true);to yourwp-config.phpfile to prevent hackers from editing your themes or plugins through the dashboard.
Backup & Recover
- Automated Off-site Backups: Schedule weekly or daily backups that are stored outside your web server (e.g., Dropbox or Google Drive).
- Integrity Checks: Regularly test your backups by performing a partial restoration to ensure the data is valid.