1. Know your surroundings
If you don’t know anything about Linux, Unix, Apache, and other solutions you are using to power your website, you are going to have a very difficult time keeping your server secure. For instance, those of you who know your Linux can rely on tools such as hunter to look for backdoors. The same approach applies to WordPress too. You should spend a considerable amount of time getting yourself familiar with how themes and plugins affect your site’s performance and security.
2. Stay Updated!
Keeping your WordPress install, themes, and plugins updated should go without saying, but this can not be stressed enough. A majority of vulnerabilities come from themes and plugins that are not up to date. If you don’t update old plugins or themes, you might get hacked. If you have multiple websites, you may want to rely on solutions such as ManageWP to handle the updates.
3. Be Choosy About Your Plugins
Be sure to do a little due diligence when you select a plugin to use. You should be sure that the plugin developer is active. You can view these details in the WordPress plugin repository. Check to see when the last update was, check to see how many times it’s been downloaded, and check the user ratings. Not all plugin developers write secure code. Unless you rigorously test every plugin that you install on your website for security issues, you should try to limit your choices to those you feel confident about using.
4. Remove Admin User
This a very basic practice that many WordPress users follow these days. There are multiple ways to do it too
5. Restrict Admin Access by IP
There are a number of different techniques to accomplish this task. You can use plugins, these plugins limit the number of times someone can get username/password pair wrong. It alerts you when your site is under attack and bans abusive IPs. You can manage the .htaccess file, if you are using Apache as your main web server, you could use your .htaccess file to harden WordPress.
6. Move your wp-config file
Moving your wp-config.php file one directory up is a good practice. Make sure you get the permissions right.
7. .htaccess optimization
.htaccess files are very important. You can use them to protect certain parts of your site and make your site run more smoothly.
8. Use Secure FTP
You should not download/upload files to your server without enabling SFTP on your server first. Ask your web host to help you out if you don’t know how to do this.
9. Backup your website
This shoud be a no brainer. Disasters happen all the time. If you do not have your file backups stored offsite, you are going to have a difficult time bouncing back. VaultPress is a great backup solution for WordPress.
10. Monitor file changes
Not all hack attacks happen overnight. Sometimes, hackers take weeks to implement their plans. By monitoring file changes on your website, you will be able to catch them before they can do real damage.
