WordPress Security

WordPress is used by more than 23.3% of the top 10 million websites making it a popular target for hackers. Below I’ve listed the security measures I adopt when building a custom WordPress website:

  • Secure WordPress using Security Keys and Salts
  • Ensure any form data is escaped and sent using nonce. A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise.
  • Changing the URL will help prevent brute force attacks, as scripts are normally targeted at the default login URL.
  • Ensure that usernames and passwords are strong to prevent hacking.
  • Limiting login attempts; iThemes allows you to limit logins attempts from an IP address. This helps protect against brute force attacks.
  • Changing the database prefix to a custom prefix.

I use the following plugins to help secure WordPress:

  • iThemes
    • Brute Force Protection
    • File Change Detection
    • Email Notifications
    • Hide Login & Admin
    • Lock Out Bad Users
  • Securi
    • Post-Hack Security Actions
    • Effective Security Hardening
    • Blacklist Monitoring
    • Remote Malware Scanning
    • File Integrity Monitoring