https://wordpress.org/support/article/hardening-wordpress/

A pretty good start to securing your server.

There are several ways:

1. Set secure passwords for your WordPress site, hosting account and FTP
2. Dont use “nulled” themes/plugins
3. Dont use themes or plugins from suspicious sources
4. Use WordFence
5. Use a plugin to limit login attempts

Optionally you can change the admin login url address

All boils down to these:

• Always have daily offsite backup. Hacked? You can restore right away
• Keep plugins up to date
• Use 2FA for logins
• Put your website behind Cloudflare
• Use Wordfence for vulnerabilities checks and general security
• Use Turnstile and/or OOPSpam for spam protection

Security is a major aspect of the website, and I faced some hacking issues in my earlier days. Then, I found this step-by-step guide and followed it. It helped me secure my website. You can also refer to this.

I use Virusdie and MalCare to keep my websites secure. I also use the WP Activity Log plugin to track activities on my WordPress sites as it logs actions like creating user accounts, changing permissions, and login attempts, plus it sends real-time alerts for any changes on our sites.

I do regular updates of all the apps on the sites: plugins, themes, WP core, PHP version if needed.... with 2FA on some sites.

I also make sure to back everything up regularly, so I set up regular offsite backups to my pCloud with the All-in-One WP Migration plugin and rely on daily backups from SiteGround hosting. For some sites, I also use SaaS BlogVault.

1. Regularly backup your site, Daily is better
2. Do not use a crack theme or plugin, purchase from the author and update regularly.
3. Get a good hosting, managed wp hosting is better if you don't know much about maintaining a hosting.
4. Use a security plugin and turn on automatic scanning.

These are the basic way to prevent malware attack and cracking of your website.

Great question. Securing a WordPress site is critical, especially with so many bots and brute force attempts out there these days.

A few best practices I always recommend:

• Use strong, unique passwords + 2FA
• Keep everything updated: core, plugins, themes
• Disable XML-RPC if you don’t use it
• Regular offsite backups (daily, if possible)
• Set up a solid firewall or CDN like Cloudflare

As for plugins, while Wordfence is popular, some find it heavy on resources. I personally use WP Security Ninja. It’s lightweight, runs 50+ security tests, and offers login protection, file change monitoring, and malware scans without slowing down the site. Super useful for both beginners and pros.

Security is a layered approach. Plugins help, but good hosting, smart config, and regular audits are just as important.

What setups are others here using? Always good to compare notes.

Cloudflare + Wordfence.

Pretty sure CF blocks SQLi attacks by default?

edit: 2FA and changing the admin URL doesn't protect you from vulnerabilities, which is how most WP sites are hacked.

Wordfence, 2FA, strong passwords.

You’ve already taken some great steps to protect your site, and that’s really good to see. One more thing you might find helpful is using a plugin like WPCode. It lets you add useful security changes, like turning off XML-RPC or limiting login attempts without needing to touch any code. It’s easy to use and perfect for beginners who want a little more control.

Also, make sure you’re doing regular backups. A plugin like Duplicator can create a full copy of your site that you can restore anytime if something goes wrong. I personally use it as a backup plan, just to be safe.

As Bluesix said above, changing admin url does nothing. I have my own self managed vps and noticed a lot of login attempts using a lot of server resources. Since i’m on cloudflare (free) i enable cf access. Put it in front of my login pages and it requires a specific email address, then a 6 digit code is sent that email and only then, the login page is accessible. Since then… no more crazy cpu usage, i can run 40 low to moderate traffic elementor sites on a single vps using openlightspeed.

Invisible captcha on forms.

Wordfence + Cloudflare Access + Cloudflare Firewall. All free.

Wordfence, 2 factor authentication, change htaccess file to only allow your ip on wp-admin pages

I use All-in-One security. With heavily modified settings. Changes loginpage. And creates a honeypot for loginbots.

And never use the account "admin" be sure to change that, or delete it.

I like to do a few things to secure a site.

1. Make sure you are using SSL, so the site shows up as https:// instead of http://
2. Make sure you are not using common usernames like admin, your domain, or such. and I also use a separate account with an editor role to make posts. Bots will scan your posts and use that poster to login.
3. I also use a randomly generated password for each account. You can use a password manager like LastPass to generate and save these.
4. I also use a custom login URL so /wp-admin is changed to something else.
5. For security plugins I like using Wordfence or IThemes Security, and I like to limit the login attempts, so an IP is banned if someone tries logging in too many times. You can also use these plugins to customize the login URL.
6. I also use a logging plugin like WP-Stream or Audit Log, to keep track of when a user does something on the site such as logins, updates, changes. This will help you figure out if the site has been accessed without you knowing, and give you a timeline.
7. If you want to really secure the logins you can setup a IP whitelist, that only allows certain computers from logging in. Or you can setup Two-Factor Authentication, where you have to use a code from your phone, after you use your password
8. The most important thing to do security wise is to KEEP ALL YOUR PLUGINS AND THEMES UP TO DATE The majority of the time a site gets hacked is because a plugin / theme is out of date, and there are security holes that give bots / hackers a way in.

First, make sure your site is backed up (I do it mainly via plugin the All-in-One WP Migration via pCloud or my hosting's backups). This way, you can restore your site if anything ever goes wrong.

Next, take care of security: install WAF (I use Virusdie and MalCare), plus I add an activity log plugin, like WP Activity Log, as you can track any changes or potential issues on your site.

To further secure your shared hosting WP site, ensure you’re using strong, unique passwords for your cPanel and WP accounts: enable two-factor authentication (2FA) for an extra layer of protection. In your cPanel, disable directory browsing and protect sensitive directories with passwords.

In the WP backend, keep your plugins, themes, and WP core updated to avoid vulnerabilities (in this order).

This really depends on the host's setup.

I would make sure that it is supporting Immunify 360 and that it is enabled and also install the free Wordfence Plugin in WP.

A shared host should already have server level security measures like imunify360. A good security plugin for WordPress is Wordfence, but most times I find it to be just resource heavy and not necessary.

When it comes to your website security, where you host it really matters. I've got my sites hosted with NixiHost, they include free Imunify360 protection that guards against hackers and malware, plus free SSL certificates. Imunify360 with Nixihost is automatically installed in cPanel which allows you to scan and detect malwars easily, SSL certificate is automatically installed on your domain as well, and you can add Wordfence plugin to WordPress easily for extra security and backups. Their firewall catches the bad guys before they even reach your site, which lets me sleep better at night. I learned this the hard way before switching to NixiHost three years ago. The peace of mind from knowing my sites are secure, backed up, and loading quickly is totally worth it. Plus, when issues do come up, having responsive support makes all the difference between a quick fix and hours of stress.

To secure your WordPress website on shared hosting, follow these steps:

1. Regularly update WordPress, themes, and plugins.
2. Set strong passwords for admin, database, and hosting accounts.
3. Use plugins like WPS Hide Login to modify the default login URL
4. Use plugins like Google Authenticator to enable 2FA
5. Prevent brute-force attacks with a security plugin like Wordfence to limit login attempts.
6. Use an SSL certificate to activate HTTPS for encrypted data transfer.
7. To disable file editing add define ('DISALLOW_FILE_EDIT', true); to wp-config.php.
8. Use Wordfence or Sucuri for monitoring and firewall protection.
9. Set up automatic backups with UpdraftPlus or Jetpack or join the daily backup option with your hosting provider.

I basically have the same with free Wordfence and free updraft. I would have occasional security issues, maybe once or twice a year.

However, any security issues ended when I activated 2FA. Have not had an issue since.

Use Wordfence, enable 2FA, and keep everything up to date

Keep it simple.

• Have a proper hosting
• Setup daily backups
• Put your website behind Cloudflare
• Keep plugins and themes up to date. Remove unused ones
• Use spam protection (OOPSpam or/and Turnstile) if you need.
• Use 2FA for admin logins

For me, there's not a better combo than server-level security and utilising Cloudflare's WAF to set up your custom rules, rate-limiting rules, etc... Pretty sure the free version is sufficient in most situations.

But even if you need the pro version, it's like $25 per month & is likely going to do a lot more for your site than a plugin ever would.

Also, not chucking random plugins at problems will greatly decrease the likelihood of some sort of hack/intruder. I can't remember the last time I ever had to deal with a hacked site.

Utilize Cloudflare's Zero-Trust Network Access system (it's free for up to 50 users... meaning 50 admins for your site). That will make it so network requests to wp-admin will be authenticated before the request even goes to your server (basically if there's an exploit in WordPress core or plugins, unauthorized users still won't be able to get to the admin area of your site).

https://i.ibb.co/rcHDK4M/image.png

Additional important security measures:

• Disable XML-RPC – If you don't need it, turn it off. It’s a frequent target for attacks.
• Restrict Access to wp-admin – Limit access by IP address to keep unauthorized users out.
• Change the Default Login URL – Makes brute-force attempts significantly harder.
• Implement Security Headers – A simple way to block many types of web exploits.
• Use a Web Application Firewall (WAF) – Provides an extra layer of robust protection.

Securing your WordPress site doesn’t have to be overwhelming and even a few smart changes can make a big difference.

Already secured your site? We’d love to hear what’s worked best for you.

Share your tips below to help strengthen the community.

I use WP Security & WordFence together, as it has all of those options you listed, on a software level. There are other options on the server level like ModSecurity, and even closing all ports and allow only direct access to server from CloudFlare IPs. ModSecurity is kind of overkill, and would be best if you had high security type of website, like trading, e-commerce, or other stuff that has to do with finance or money.

Add Procaptcha instead of reCAPTCHA and you'll block more bots.

You're not mentioning a single infrastructure hardening option. You're only as good as the weakest link.

Sometimes it is not an attacker that brings your site down... 😉

Especially if mutiple admins are involved: install an event tracker. It tells you who did what at which time.

Been using WP Activity Log for a long time for that, but have switched now to WP Admin Audit because I prefer the more modern UI controls.

https://developer.wordpress.org/advanced-administration/security/hardening/

A WAF, password protect wp-login.php, backups, and constant updating of everything. I personally use wordpressupdater (or wp-cli directly), but I wrote the tool so I not sure if I should link to it. I set it up on the daily cron.

There are plugins to manage updates, and even the wordpress core does it itself, but wp-cli and my tool (among countless other scripts!) provide good notification, integration with Apache, etc, etc.

Of course, harden your php setup!

Only use top tier plugins. And update daily. Scan logs for hacking attempts and blacklist abusers IP. Consider if your security requirement are WP compatible.

I used WordFence/sucuri for my websites. I used top level plugins which are popular and keep them up to date.

This really depends on your host and stack you are using. If you use Cloudflare you already reduce a huge amount of bot/hacking traffic. Cloudflare recently announced a service that's specific for WordPress wich I do highly recommend.

The problem with plugins for hardening WordPress is the same as installing anti-virus software on your pc. It makes it slow. On your pc this might not be a problem, but most hosting solutions do not have enough power.

We, at work, stick with a good WordPress specic hosting company, CloudFlare and an internal update manager. Managing hundrets of WordPress sites and our sites haven't been hacked unless there was a serious vunerability on the sites plugins. Wich you can never prevent. Always make sure you have backups.

Security practices for WP without the use of plugin:

• Regularly update your WordPress.
• Restrict user privileges.
• Avoid using the default "Admin" username.
• Try using strong passwords.
• Delete the plugins and themes that you don't need.

Sysadmins will have a million methods.

Depending on your hosting platform.

And... how much hair do you have left... cause reading those logs can be daunting.

So, how do I sort through my logs? And with 50 websites hosted, what kind of life does one have?
Whelp, depending on your skillset or industry, there are a few log reader programs one can purchase.

The "depending on your hosting platform" godaddy versus all their various options for hosting. So for this example. Godaddy with managed wordpress hosting (deluxe)

You can use sftp to access your wordpress installation, once looking at your file system you'll locate the directory that has daily log files going as far back as your hosting is configured to do.

Download these text files and begin to bore yourself with "wtf does all this mean".

You can use notepad, but I truly suggest to the untrained... use notepad++ at least this program can help color code the log entries.

You'll do this from time to time, read your logs, but in most cases you are looking for those glaring errors that makes the repetitive entries stick out.

So when a failure, or serious error happens behind the scenes of your wordpress's daily operations, these logs can help explain what's causing those problems.

Now, sysadmins have syslog tools, and graphing tools that help automate reading 100s of logs at once.

Be like a network security geek. You want to be a Log Master!.

One of those tools is capturing packets, and analysis methods used to single out a single user from the massive amounts of data. Those tools rock on.

But for you. Scanning logs, just means locating where they are.

Another example of a different web host is powweb.

They called their logs. Php access logs. Essentially the same as others.

If you obtain a reasonable "software firewall" for wordpress. Wordfense, or WP Defender... or.. the other 500 that are out there.. those create logs too.

I personally have a namecheap hosting package, where within the cpanel to manage my "server", I have about 4 options of logs I can review. From mail service, web, and so forth.