16 Steps to Secure Your WordPress Website in 2023

WordPress is one of the most popular CMSs on the web, and its popularity is well-deserved given its capabilities.

Unfortunately, this popularity is both a blessing and a curse, as it makes WordPress an attractive target for hackers; it is the most hacked CMS on the web.

A hacked website can cause a lot of damage to a business. When it comes to hacking, prevention is key. The list below should be able to significantly reduce the likelihood of your WordPress website getting hacked.

1. Check with your host to see if they can strengthen the environment by adding a firewall and doing a full scan of the server on a regular basis.
2. Ask the host to make sure the server operating system is up-to-date.
3. Inquire with the host if they offer a CDN with a Web Application Firewall (WAF), or if they use an external service like Cloudflare, make sure to setup rules to handle requests coming to the admin folder or the login.php page.
4. Ask the host to update Apache, PHP, and MySQL to recent versions that are compatible with WordPress.
5. Ensure you have a remote backup service with an easy restoration process.
6. Strengthen all FTP passwords and change them regularly (at least once every quarter).
7. Upgrade WP and all plugins to the latest version.
8. Upgrade the theme or any visual editors to the latest version.
9. Create a staging server that is no more than one week behind the current site on a similar hosting environment; this will also act as a redundancy and backup.
10. Install security plugins like Wordfence or Sucuri and subscribe to a paid version.
11. Enforce WP password changes every month (using a plugin may be necessary), and protect the admin folder using .htaccess .htpasswod
12. Enable 2FA and Brute Force Protection.
13. Apply a daily Malware Scan and email yourself the results or any critical alerts.
14. Do a manual weekly inspection to the website (mainly the upload folder) and test the backup site every week. Check FTP and Apache log files
15. Remove unused plugins, and check if less-used plugins could be removed.
16. Use file and folder permissions to secure the website by applying 555 permissions (linux servers only) to the plugin folder, 444 for the config file and the .htaccess file.