I find it easy to obsess over WP security practices, and to get lost in minutia – things like changing database table prefixes and obfuscating my admin user name – good practices but with little practical security value. Here is my list of the top seven essential WP security measures, in rough order of importance. All these measures can be implemented free of charge.
- Backups: Always have an up-to-date backup stored off my site.
- Updates: Keep WordPress, Themes, and Plugins updated. I chose automatic updates over manual.
- Passwords: Strong passwords for admin login, cPanel, SFTP, Cloudflare, email, host, registrar.
- Firewall: Block malicious queries. I use the 6G Firewall from Jeff Starr at Perishable Press.
- Cloudflare page rules for login security: Keep bad bots completely off my login page.
- Limit Login Attempts: Thwart bad human logins too. I use Limit Login Attempts Reloaded.
- https (SSL/TSL): No eavesdropping, please. I use a Let’s Encrypt free SSL certificate paired with Cloudflare Full-Strict SSL.
Additional security measures that do not make my “Top 7” list but are, in my point of view, good practices: DNSSEC; redirect ‘http’ requests to ‘https’; HSTS; TLS; Cloudflare security level; block directory browsing; restrict access to htaccess and wp-config.php.
The official WP Codex offers additional advice on hardening WP.
WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.