1) Make Sure WordPress installation has the latest updates
2) Minimizing the number of plugins you use and deleting the ones you don’t
3) Use Passwords that are difficult to crack
4) Performing regular data backups
5) Protecting your WordPress using .htaccess or security plugins if you don’t
want to use plugins below is the guide to configure
a) Edit .htaccess using WordPress SEO plugin by Yoast
b) Protect wp-config.php append the code in button of .htaccess file
<files wp-config.php>
order allow,deny
deny from all
</files>
c) Prevent Directory Browsing
# directory browsing
Options All -Indexes
d)Disable any Hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
do not forget to change YourDomain
d) Protect /wp-content Directory
order deny,allow
deny from all
<files ~ “.(xml|css|jpe?g|png|gif|js)$”>
allow from all
</files>
e)Protect the .htaccess Itself
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>
f)Securing wp-includes
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
g)Disable file editing
define(‘DISALLOW_FILE_EDIT’, true);
g) stop script injection add .htaccess inside wp-content
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
h) Don't use the table prefix wp_
6) Use Security Plugins like Better
WP Security
Wordfence
All in One WordPress Firewall
BulletProof Security
BackWPUp
BlogSecurity’s WPIDS
7) always check login attempts for brute force. you can use plugins below
Limit Login Attempts
Simple History
WP Security Scan
Ask Apache Password Protect
Login Lockdown
Antivirus
Bad Behavior
Exploit Scanner
User Spam Remover
WP DB Backup plugins.
8) Using CDN like CloudFlare, PageSpeed Service by Google
9) Protect your WordPress admin access with htpasswd
10) Changing Default “Wp_” Prefixes
11) Hide Login Error Messages
add in function.php add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
12) don’t use admin user remove it.
http://blog.sucuri.net/2013/07/dissecting-a-wordpress-brute-force-attack.html
13) Monitor for malware
using http://sitecheck.sucuri.net/scanner/
14) Disable Theme/Plugin Editor
15) Disable PHP execution
16) Permission for Directories 755 and for files 644
17) User different database for different wp installation.
18) Control Sensitive information
19) delete install folder, readme.html and phpinfo files or .sql backup in wordpress directory.
20) keep you computer out of virus and malware.
21) WP-folder from being indexed by search engines add below code in robot.txt
Disallow: /wp-*
22) User best hosting provider like mediatemple
23) Monitor webserver logs, files changes.
24) if possible use ModSecurity firewall for apache to secure your webserver.
25)