Are you worried about your WordPress website’s security and that your website keeps getting hacked? Here are a few steps/suggestions I recommend taking to harden your WordPress website security:
WordPress is only as secure as the people using it. In reality, there really isn’t anything that makes it less secure than other CMS platforms. When you throw thousands of different plugins and themes, with bad user practices… this is where it becomes more of a problem.
Use a Secure WordPress Hosting
Take advantage of secure WordPress hosting. Check to make sure your host is scanning for malicious code, has firewalls in place, etc. Typically managed WordPress hosts tend to do this a little better as they focus on WordPress environments 24×7.
Use a Supported PHP version
Make sure you are running on a supported version of PHP! According to WordPress stats, there are still over 60% of users on a version of PHP 5.6 or lower. Unsupported PHP versions don’t get security updates and are not patched for vulnerabilities.
I highly recommend going with PHP 7.4, for both security and performance reasons.
Update Themes and Plugins Regularly
Always update your plugins, themes, and WordPress install to the latest versions. Many times, updates include security patches and fixes.
Use Secure Plugins and Themes on the Website
Be VERY careful while selecting the plugins and themes you are going to use. Most people think buying a $50 theme and adding some plugins makes your website “wonderful” and your website looks great. But honestly, most of the so-called “premium” themes are a piece of junk in the backend. So make sure you read all the reviews about the theme and plugins you are going to use.
Install SSL and use HTTPS
Migrate your site to HTTPS to ensure you are using encrypted connections. Remember, if you are on HTTP and login to your WordPress site, it is actually passing your login credentials in plain text.
Change Admin Username
Don’t use admin for your username and always use a custom/uniquely generated password. Use a custom unique password. 1234567 is not a secure password.
Change WordPress Login URL
Change your WordPress login URL from the default http://domain.com/wp-admin. This is something that is very easy to do with the help of a plugin. I have seen it personally reduce unauthorized attempts to gain access by over 90%.
Use 2 Factor Authentication
You can take your login security one step further and use two-factor authentication on your WordPress site. The Google Authenticator plugin is completely free. Or you can go with a premium service such as Authy.
Take Regular Backups
One of the most important things is to always take backups! It doesn’t matter how secure your site is, there is always a chance that something could happen. You should always have backups to resort to in case of a disaster, hack, or unauthorized access.
Advanced Tips
Some other tips include disabling XML-RPC on your site, hiding your WordPress version, disabling file editing from within the dashboard, etc.
Hide some WordPress files Add this code to .htaccess file
Hide WordPress version Add this code to theme functions.php file
