Advanced WordPress security

Security plugins

Wordfence Security

1. Install from Plugins → Add New → search "Wordfence"
2. Activate and complete the setup wizard
3. Configure firewall in "Extended Protection" mode
4. Enable weekly automatic scanning

Sucuri Security

1. Install the free Sucuri plugin
2. Generate your API key
3. Enable file integrity monitoring
4. Configure email alerts

Protect wp-admin

Change login URL

Use WPS Hide Login:

1. Install and activate
2. Go to Settings → WPS Hide Login
3. Change /wp-admin to something custom

Protect with .htaccess

<Files wp-login.php>
  Order Deny,Allow
  Deny from all
  Allow from YOUR_FIXED_IP
</Files>

Limit login attempts

With Limit Login Attempts Reloaded:

• 3 attempts allowed
• 20-minute lockout
• After 3 lockouts: 24-hour ban
• Email notifications enabled

Disable XML-RPC

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

File permissions

# Directories: 755
find /var/www/html -type d -exec chmod 755 {} \;

# Files: 644
find /var/www/html -type f -exec chmod 644 {} \;

# wp-config.php: 600
chmod 600 wp-config.php

wp-config.php hardening

// Disable file editor
define('DISALLOW_FILE_EDIT', true);

// Force SSL on admin
define('FORCE_SSL_ADMIN', true);

// Limit post revisions
define('WP_POST_REVISIONS', 5);

// Disable debug in production
define('WP_DEBUG', false);
define('WP_DEBUG_DISPLAY', false);

Security headers in Nginx

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

Recommendations

• Keep WordPress, themes and plugins updated
• Remove unused themes and plugins
• Use strong passwords and 2FA for all admins
• Set up daily automatic backups
• Never use "admin" as a username