🔐 1. Basic Security (Must Do First)
✔ Keep everything updated
- Update WordPress core, themes, and plugins regularly.
- Remove unused plugins/themes.
✔ Use strong login protection
- Strong password (12+ characters).
- Change default username admin.
- Enable 2-Factor Authentication (2FA).
✔ Install a security plugin
Best options:
- Wordfence
- Sucuri
- iThemes Security
These provide:
- Firewall
- Malware scan
- Login protection
🛡️ 2. Hosting & Server Level Security
✔ Use secure hosting
Choose hosting with:
- Free SSL
- Daily backups
- Malware protection
- WAF firewall
✔ Enable SSL (HTTPS)
- Install Let’s Encrypt SSL.
- Force HTTPS redirect.
🔒 3. File & Database Protection
✔ Change database prefix
- Default
wp_→ change to random likewp9x_.
✔ Set proper file permissions
- Folders: 755
- Files: 644
wp-config.php: 600
✔ Disable file editing in dashboard
Add in wp-config.php:
define('DISALLOW_FILE_EDIT', true);
🚫 4. Block Hack Attempts
✔ Limit login attempts
Stops brute-force attacks.
✔ Change login URL
/wp-admin→ custom URL (via plugin).
✔ Disable XML-RPC if not needed
Improves security.
💾 5. Backup Strategy (Very Important)
Use plugins like:
- UpdraftPlus
- All-in-One WP Migration
Keep:
- Daily backup
- Off-site storage (Google Drive, Dropbox)
🧠 6. Advanced Protection (Professional Level)
- Use Cloudflare firewall + CDN
- Enable reCAPTCHA on login & forms
- Monitor security logs
- Set automatic malware scanning
- Use separate admin email
⭐ Best Simple Security Setup (Recommended)
If you want easy & strong protection, do this:
- Install Wordfence
- Enable 2FA
- Setup daily backup (UpdraftPlus)
- Activate SSL + Cloudflare
- Keep plugins/themes updated
👉 This covers 90% of WordPress hacks.