There are many things you can do to help secure a WordPress website. This list isn’t exhaustive, but it’s a good start. 🙂
Easy Steps | Every Site Should Do These!
- Keep WordPress, themes, and plugins updated!
- Use strong passwords – long, unique, kind of random. For example, misspell a word in a phrase: I!rockz2MakeFire%maaybe isn’t a terrible password. (A password manager like KeePass is a brilliant help here!)
- Never use “admin” for an Administrator level username
- Guard those administrator level logins – don’t share them willy nilly.
- Install a security plugin.
I use WP Defender by WPMU.
- Run backups on a schedule.
I use Snapshot by WPMU.
- Do not leave the database named “wp_”. Change that “wp” to anything else. Example: “jinglebells_” (I usually pick something somewhat related to the website in question.)
Moderate Steps | Not a Bad Idea
- Setup and utilize 2-factor authentication
- SSL certification (required for e-commerce sites)
- Google reCaptcha on the login page (also used on other forms)
- Remove error messages on failed login attempts
- Disable Login Hints
- Limit login attempts
- Limit login length (log them out after a time)
Advanced Steps | Lock it Down!
- If no SSL certification, then encrypt the passwords on login
- Limit access by IP address (.htaccess file)
- Custom login page and wp-admin redirect
- Password protect wp-admin directory
- Limit dashboard access