1. Let’s start with the basics

In this section, we will discuss the basic actions you could take in order to prevent cyber-attacks.

1.1. Keep Everything Updated

One of the most important things to keep in mind is always to make sure you use the latest version of everything: WordPress, plugins, themes, PHP. Most of the time, the new versions include bug fixes and security enhancements that could be the difference between a secure website and a vulnerable one.

In the case of PHP, make sure you run on a version above 7.1 or else you will no longer have security support.

Pay special attention to plugins single the outdated ones can often become a huge vulnerability. You should also make proper research before you download a plugin since they are open-source an and some malicious might slip through the cracks.

1.2. Use Strong Passwords

Although WordPress gives you strong default passwords, it’s important to change both default usernames and passwords. You could do that easily by choosing a strong combination of upper and lower case letters, numbers and symbols. With the newer versions of WordPress, you could also choose a new secured username and the platform will automatically generate a strong password.

Keep in mind never to tie your password to personal information and to keep it longer. And last, don’t reuse passwords.

1.3. Change Permissions

Always check your server and file permissions and make sure you specify the correct permissions for each user. Permissions for both server and files directory are “read”, “write” and “execute”. The first permission allows users to only read the files while the others, respectively, give them the right to modify and execute them as scripts. Needless to say, the latter two could cause some real damage in the wrong hands.

When it comes to this, there are three rules in terms of the permission modes.

1. There are no directories that should have 777 permission mode.
2. All directories should be 755 or 750, while files should be 644 or 640.
3. The wp-config.php file should be 440 or 400.

1.4. Use Premium WordPress Hosting

When it comes to WordPress security, if there is anything not worthy of saving money from, it’s the hosting. Unlike with shared hosting, a premium managed hosting service with expert WordPress skills takes care of your website. It will keep your software up to date, provide you with a web application firewall and basically manage your WordPress security for you.

In case of a successful cyberattack, the managed host will notify you and disable all accounts in order to run scans. Some premium services offer plans in case of accidents that grant recovery solutions.

1.5. Use Trusted Sources for Download

Stick to WordPress.org directories and always research outside sources by reading reviews and checking out the reputation of the sellers. In case you already have plugins that have been compromised, make sure to delete them.

1.6. Local Antivirus

Handling your personal machine matters as well. Make sure your OS regularly gets the newest updates. The same goes for your local antivirus software. In addition, always be cautious when you use public WiFi.

2. WordPress security essentials

After we finished with the basic security improvements, we will continue with the next 3 essential steps that could save a lot of trouble.

2.1. Schedule Backups

Always have a backup plan. Imagine the worst scenario where your website simply disappears. You will definitely wish to have a backup of your data and business in general. Scheduling backup, for example, once a day, will do the trick. There are many plugins that could help you automate the process and do it for you.

2.2. Add WordPress Security Plugin

You can count on some WordPress security plugins to automate the hard work and take care of essential such as scanning your website, monitoring your files, securing your login information and blocking hack attempts.

Below are some of the most preferable tools for this type of work.

Sucuri – A free WordPress plugin suite that packs a whole set of features designed to increase your website security. The features include blacklist monitoring, security notifications, file integrity monitoring, remote malware scanning, security activity auditing and post-hack actions. On premium, it adds a website firewall.

Wordfence – Specially built for WordPress, this is an advanced firewall and a malware scanner with the newest firewall rules, malware signatures and malicious IP addresses.

Bulletproof Security– Another AIO security tool that acts as a malware scanner, firewall, backup tool, anti-spam, and login security.

iThemes Security Pro – It features limiting login attempts, detection for file changes, strong password enforcement, lockout bad users, hides login and admin and BD backups.

2.3. Move to SSL/HTTPS

What makes HTTPS different from HTTP  is the essential TLS/SSL certificate encryption. The abbreviation stands for Hyper Text Protocol Secure, so that “s” changes everything.  It prevents from being intercepted and keeps your data secure. Another advantage of the HTTPS websites is that it could power up your SEO and help you climb the ranking as Google favors these websites.

3. Advanced settings

And last, these are the more advanced steps that will help create a powerful fence around any WordPress website and significantly protect it.

3.1. Lockdown WordPress Admin

This is another backdoor for hackers that you could take care of in order to improve your WordPress security. One way to do so is by limiting the login attempts, which we will discuss in the next step. The other is to change the default wp-admin login URL by using WPS Hide Login. It’s a free plugin that helps you change the URL of your admin login page easily. It also disables the wp-login.php so it’s advisable to bookmark the new URL.

3.2. Disable File Editing

The file editor allows you to modify the themes and plugin way easier, however, it could compromise your website should it fall into the wrong hands. You can easily disable the editor by adding this line to wp-config.php

define(‘DISALLOW_FILE_EDIT’, true);
It’s important to give the correct permissions to the other users and if possible to keep the number of admins at a minimum.

3.3. Disable PHP File Execution

Hackers often create backdoors by sliding PHP files that one could later easily mistake for the core ones. In order to prevent this, you could disable the PHP execution and directory browsing manually, however, this could appear to be very risky as the smallest misstep could seriously damage your website. Instead, you could do this by using a plugin. We recommend MalCare Security that arrives with Block PHP Execution as well.

3.4. Limit Login Attempts

This is especially good against brute force attacks that use bots to guess your password through an unlimited amount of attempts until they got it right. Plugins like Login LockDown records the IP address of every failed login attempt whenever it detects a certain number of such attempts in a short period of time, and it disables the login function.

3.5. Disable Directory Indexing

The absence of index.php returns a listing of all your files and directories which is basically a goldmine for hackers. In order to prevent your files fall into the wrong hands, you could disable the directory indexing and browsing by adding a single line of code in your .htaccess file. You can edit it by downloading it to your desktop and open it with Notepad. Add Options-Indexes to the bottom of the code and upload it back to your server.

3.6. Disable XML-RPC

XML-RPC is a protocol that custom websites use for app integration. If you aren’t using it, we recommend you to disable it because hackers can use it to enforce multiple password guesses in a single login attempt.

3.7. Add Two-step Authentication

This is one of the best ways to fight brutal force attacks as it makes it very difficult for hackers to brute force their way through the WordPress login. It requires to enter both a password and a secondary code. The latter will appear on your mobile device as a message.

We recommend Google Authenticator– it’s free and has a pretty simple interface that makes it easy to use.

3.8. Scan WP for Vulnerabilities

Frequently scanning your website for malware is essential. This is easy with well trusted and reliable WordPress security plugins.