Here are easy to implement WordPress security tips that you can use to make your WordPress website or blog more secure.
As a web hosting company that offers 1-click WordPress installation that customers can use to start a WordPress-powered website in minutes, it is often shockingly disturbing when after the installation has completed, the customer goes his or her merry way leaving the installation without making an effort to protect the website against security threats.
It is true that our WordPress hosting infrastructure comes with a multi-layered defense architecture that ensures precision targeting and eradication of malware and viruses, there are still required steps that a customer can take to ensure that their WordPress website is secure starting at the front line level which they have absolute control of.
Below are some easy-to-follow tips that you can use to strengthen and augment what our security team is doing to protect you:
- customize and rename the login page URL instead of using the /wp-login.php, /wp-login.php?action=r or /wp-admin/
- add security questions to the WordPress login screen.
- enable two-factor authentication using https://wordpress.org/plugins/miniorange-2-factor-authentication/.
- use Trusona (https://wordpress.org/plugins/trusona/)
- secure the /wp-admin with cPanel Directory Privacy.
- ensure that WordPress is not using the wp- table prefix during installation and that the database has a strong password that is at least 45 in length.
- the default “admin” username should never be used during the installation.
- chmod wp-config.php file to 0400.
- disallow file editing by adding “define(‘DISALLOW_FILE_EDIT’, true);” to wp-config.php.
- ensure that directory listing is disabled with .htaccess.
- block all hotlinking.
- ensure that automatic update is enabled for the theme and plugin during installation. The WordPress version number should be removed.
- disable XML-RPC
- ensure that a plugin that limits login attempts and brute-force is installed. This can be achieved too with the right cPanel config.
- rotate WordPress security keys every 3 months (https://api.wordpress.org/secret-key/1.1/salt/).
- use SiteLock to scan the website daily and/or simply run the website via Cloudflare which we provide via cPanel integration.
- by default, WordPress username and this an all-out invitation to hackers and spammers as it indicates a WordPress owner that doesn’t care or understand much about the security of his or her WordPress website. Login to your WordPress dashboard and in the sidebar, hover over the Users menu item and click on the Your Profile link. You’ll be able to select from a few variations of the above name inputs, including a nickname.
And of course if you really want a super-fast WordPress website that can be as secure as Fort Knox, host your WordPress on Web Hosting Magic for the sweetest WordPress experience.
These, if followed religiously, are more than enough to keep your WordPress installation safe.