π 1. Basic Security (Must Do First)
β Keep everything updated
- Update WordPress core, themes, and plugins regularly.
- Remove unused plugins/themes.
β Use strong login protection
- Strong password (12+ characters).
- Change default username admin.
- Enable 2-Factor Authentication (2FA).
β Install a security plugin
Best options:
- Wordfence
- Sucuri
- iThemes Security
These provide:
- Firewall
- Malware scan
- Login protection
π‘οΈ 2. Hosting & Server Level Security
β Use secure hosting
Choose hosting with:
- Free SSL
- Daily backups
- Malware protection
- WAF firewall
β Enable SSL (HTTPS)
- Install Letβs Encrypt SSL.
- Force HTTPS redirect.
π 3. File & Database Protection
β Change database prefix
- Default
wp_β change to random likewp9x_.
β Set proper file permissions
- Folders: 755
- Files: 644
wp-config.php: 600
β Disable file editing in dashboard
Add in wp-config.php:
define('DISALLOW_FILE_EDIT', true);
π« 4. Block Hack Attempts
β Limit login attempts
Stops brute-force attacks.
β Change login URL
/wp-adminβ custom URL (via plugin).
β Disable XML-RPC if not needed
Improves security.
πΎ 5. Backup Strategy (Very Important)
Use plugins like:
- UpdraftPlus
- All-in-One WP Migration
Keep:
- Daily backup
- Off-site storage (Google Drive, Dropbox)
π§ 6. Advanced Protection (Professional Level)
- Use Cloudflare firewall + CDN
- Enable reCAPTCHA on login & forms
- Monitor security logs
- Set automatic malware scanning
- Use separate admin email
β Best Simple Security Setup (Recommended)
If you want easy & strong protection, do this:
- Install Wordfence
- Enable 2FA
- Setup daily backup (UpdraftPlus)
- Activate SSL + Cloudflare
- Keep plugins/themes updated
π This covers 90% of WordPress hacks.