WordPress is one of the most popular CMSs on the web, and its popularity is well-deserved given its capabilities.
Unfortunately, this popularity is both a blessing and a curse, as it makes WordPress an attractive target for hackers; it is the most hacked CMS on the web.
A hacked website can cause a lot of damage to a business. When it comes to hacking, prevention is key. The list below should be able to significantly reduce the likelihood of your WordPress website getting hacked.
- Check with your host to see if they can strengthen the environment by adding a firewall and doing a full scan of the server on a regular basis.
- Ask the host to make sure the server operating system is up-to-date.
- Inquire with the host if they offer a CDN with a Web Application Firewall (WAF), or if they use an external service like Cloudflare, make sure to setup rules to handle requests coming to the admin folder or the login.php page.
- Ask the host to update Apache, PHP, and MySQL to recent versions that are compatible with WordPress.
- Ensure you have a remote backup service with an easy restoration process.
- Strengthen all FTP passwords and change them regularly (at least once every quarter).
- Upgrade WP and all plugins to the latest version.
- Upgrade the theme or any visual editors to the latest version.
- Create a staging server that is no more than one week behind the current site on a similar hosting environment; this will also act as a redundancy and backup.
- Install security plugins like Wordfence or Sucuri and subscribe to a paid version.
- Enforce WP password changes every month (using a plugin may be necessary), and protect the admin folder using .htaccess .htpasswod
- Enable 2FA and Brute Force Protection.
- Apply a daily Malware Scan and email yourself the results or any critical alerts.
- Do a manual weekly inspection to the website (mainly the upload folder) and test the backup site every week. Check FTP and Apache log files
- Remove unused plugins, and check if less-used plugins could be removed.
- Use file and folder permissions to secure the website by applying 555 permissions (linux servers only) to the plugin folder, 444 for the config file and the .htaccess file.