• Always use strong passwords, everywhere, in your WordPress, databases, ftp accounts, email, etc. Create a rule to build strong but easy to remember passwords, and stick to it. Use a password manager like LastPass.com
  • From a security viewpoint, managed or VPN hosting are better than shared hosting. WPEngine and Siteground are some of the best managed hosting providers.
  • Change WordPress table prefix
    $table_prefix = 'wp_'; to $table_prefix = 'newsite_wp_';
  • On wp.config.php generate and apply Keys and Salt
    Use the wordpress.org service at https://api.wordpress.org/secret-key/1.1/salt/
  • Create the main administrator account avoiding obvious names like ‘admin’ or the like. Use a hard-to-guess name and a strong password. Create an alias for this account, different from its name. Use this alias to publish posts and pages. Delete the default ‘admin’ account.
  • Disable pingback and trackback notifications from the admin panel (Settings / Comments) to prevent DDOS attacks.
  • On the .htaccess file at the main WordPress installation folder, apply the following lines of code to protect files:
    #Deny folder list
    Options - Indexes
    #Block sensible files
    <files .htaccess="">
    Order allow,deny
    Deny from all
    </files>
    <files wp-config.php="">
    Order allow,deny
    Deny from all
    </files>
    
  • Create a new .htaccess file in the /wp-admin folder and add the following lines:
    #Block install file
    <files install.php="">
    Order allow,deny
    Deny from all
    </files>
    <files setup-config.php="">
    Order allow,deny
    Deny from all
    </files>
    
  • Check the robots.txt file and make sure it doesn’t allow access to your WordPress installation folders and files.
  • Apply proper permissions to folders and files
    Set all folder permissions to 755 and all files to 644. Set wp-config.php to 600 and .htaccess to 604.
  • Block PHP scripts in folders
    Create a new .htaccess file inside the “/wp-content/uploads”,
    “/wp-content/plugins” and “/wp-content/themes” folders, and add the following lines of code to block PHP execution:
    <files *.php="">
    deny from all
    </files>
    
  • Disable file editing in WordPress
    Apply the following in wp-config.php:
    define( 'DISALLOW_FILE_EDIT', true );

    An additional security measure is to prevent users to install themes and plugins, with the following line:

    define( 'DISALLOW_FILE_MODS', true );

    Remember to change this setting to ‘false’ whenever you want to add new themes or plugins.
    Any changes to the wp-config.php file must be inserted before the following line of code:

    /* Finito, interrompere le modifiche! Happy blogging. */
  • Use a CDN (Cloudflare) as DNS
  • Backup your website
    • Keep 3 backups
    • in 2 different formats
    • 1 of them in a different physical location

    Install an automatic backup solution or plugin, like Updraft Plus, VaultPress or BackupBuddy.

  • Install SSL and an HTTPS certificate (Let’s Encrypt)
    You may need to install a plugin to force HTTPS connections for all the requested resources of your website. You should also force your administrative sessions to use SSL connections, applying the following lines to wp-config:
    define('FORCE_SSL_LOGIN', true);
    define('FORCE_SSL_ADMIN', true);
    
  • Disable session suggestions
    To avoid suggestions in case of userid or password input errors, add the following lines to functions.php (the message can be customized):
    function no_wordpress_login_errors(){
    return 'thanks for trying, but this website is protected';
    }
    add_filter( 'login_errors', no_wordpress_login_errors );
    
  • Install firewall and security plugins, like Wordfence, Sucuri and others.
  • Move your login page
    Bots look for the /wp-admin path. Use a plugin like WPS Hide Login.
  • Password Protect WordPress Admin and Login Page
  • Limit login attempts
    This can be done with Wordfence or other security plugins.
  • Add Security Questions to WordPress Login Screen. Use the WP Security Questions plugin.
  • Use secure headers
    Prevent external frames or iframes to open pages on your website with the following line in the .htaccess file:
    Header set X-Frame-Options SAMEORIGIN

    To consent access from trusted domains:

    Header set X-Frame-Options "ALLOW-FROM https://example.com/"

    To prevents XSS attacks:

    Header set X-XSS-Protection "1; mode=block"

    Use the following to prevent XSS from external scripts but allow from trusted sources like Google Analytics:

    Header set Content-Security-Policy "default-src 'self';"
    header set Content-Security-Policy "script-src 'self' www.google-analytics.com;"

    Be careful when applying this setting, it may break some useful external services, test it.
    To prevent loading undesired scripts or styles whenever MIME types do not correspond:

    Header set X-Content-Type-Options "nosniff"
  • Prevent XML-RPC attacks
    To avoid access to the file xmlrpc.php, apply the following lines to the .htacces file:
    # Deny access to xmlrpc.php
    <Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    </Files>
    

    To prevent blocking a trusted domain or service (Jetpack, WordPress.com), access may be granted to its IP address:

    # Deny access to xmlrpc.php
    <Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    allow from X.X.X.X
    </Files>
    
  • Disable JSON REST API
    Add the following lines to functions.php:
    add_filter('json_enabled', '__return_false');
    add_filter('json_jsonp_enabled', '__return_false');
    

    Otherwise you can install the Disable REST API plugin. Also the iThemes Security plugin, which will allow the REST API to work while granting access only to selected users.

  • Install only trustworthy themes and plugins
  • Hide information about the WordPress version
    Paste the following code to functions.php:
    /*
    Hide script and styles versions
    */
    function SG_remove_wp_version_strings( $src ) {
        global $wp_version;
        parse_str(parse_url($src, PHP_URL_QUERY), $query);
        if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
            $src = remove_query_arg('ver', $src);
        }
        return $src;
    }
    add_filter( 'script_loader_src', 'SG_remove_wp_version_strings' );
    add_filter( 'style_loader_src', 'SG_remove_wp_version_strings' );
    /*
    Hide the tag generator from header
    */
    function SG_remove_wp_generator() {
        return '';
    }
    add_filter('the_generator', 'SG_remove_wp_generator');
    

    Add also the following lines to .htaccess:

    #Block info about WP
    <files readme.html>
    Order allow,deny
    Deny from all
    </Files>
    <files license.txt>
    Order allow,deny
    Deny from all
    </files>
    
  • Disable PHP error notifications
    Add the following to wp-config.php:
    error_reporting( 0 );
    ini_set( 'display_errors', 0 );
    
  • Hide info about (Apache) server and PHP
    Add the following to .htaccess:
    ServerSignature Off

    To hide info about PHP version, you may add the following to .htaccess:

    Header unset X-Powered-By
    

    or you may add the following to php.ini:

    expose_php = Off
    
  • Keep your WordPress updated
    It’s good practice to update the WordPress core manually, while reading about fixes and new functionalities. Themes and plugins should be updated after the core. If you prefer automatic core updates, you can add the following lines to wp-config.php:
    define( 'WP_AUTO_UPDATE_CORE', true );
    

    To automatically update plugins, add the following lines to functions.php:

    add_filter( 'auto_update_plugin', '__return_true' );
    

    To automatically update themes, add the following lines to functions.php:

    add_filter( 'auto_update_theme', '__return_true' );
    
  • If your site has been hacked, get help from Wordfence or Sucuri, or fix it yourself.
  • More info here.
Facebook Comments

An additional security measure is to prevent users to install themes and plugins, with the following line:

Remember to change this setting to ‘false’ whenever you want to add new themes or plugins.
Any changes to the wp-config.php file must be inserted before the following line of code:

Install an automatic backup solution or plugin, like Updraft Plus, VaultPress or BackupBuddy.

To consent access from trusted domains:

To prevents XSS attacks:

Use the following to prevent XSS from external scripts but allow from trusted sources like Google Analytics:

Be careful when applying this setting, it may break some useful external services, test it.
To prevent loading undesired scripts or styles whenever MIME types do not correspond:

To prevent blocking a trusted domain or service (Jetpack, WordPress.com), access may be granted to its IP address:

Otherwise you can install the Disable REST API plugin. Also the iThemes Security plugin, which will allow the REST API to work while granting access only to selected users.

Add also the following lines to .htaccess:

To hide info about PHP version, you may add the following to .htaccess:

or you may add the following to php.ini:

To automatically update plugins, add the following lines to functions.php:

To automatically update themes, add the following lines to functions.php:

This content was originally published here.