- Keep WordPress updated
- Keep plugins updated
- Only use trusted plugins
- Only use trusted themes
- Choose a secure password
- No “admin” username
- Decent hosting
- Keep regular backups
- Restrict login attempts (use iThemes Security)
- Switch on SSL encryption
- Change database prefix
- Two-factor authentication (use Google Authenticator)
- Monitor what’s happening
- Block access to system files
# protect files
<files wp-config.php>
Order deny,allow
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files license.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files># Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule> - Build your own firewall
- Hide .htaccess file
# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow, deny
deny from all
satisfy all
</Files> - Protect WP-Admin area
- Block PHP in uploads folder
<Files *.php> Deny from All </Files>
- Tighten PHP configuration
; Disable allow_url_fopen in php.ini for security reasons
allow_url_fopen = Off
; Disable allow_url_include in php.ini for security reasons
allow_url_include = Off
; Disable display_errors in php.ini for security reasons
display_errors = Off
log_errors = On - Create your own encryption keys
- Folder permissions
Source: Primary Image