10 Steps to make your WordPress website secure.
1. Do not ever use defaults
Do not ever use the default user and password like username “admin” and password as “password”. This is such a common occurance but avoid using default username with password in simple format. Your password must be Strong and complex.
2. Do not use default database prefix.
It is the best practice of web development to remove default database prefix ex. wp_ You can change it when you setup your WordPress website.
3. Get rid of unused plugins and even images.
Only keep those plugins which are utilized in your website. Do not keep unused plugins. This poses a great security risk as Hacker may target plugins that people purchased because they were popular. Hacker may gain access to your admin via these rarely used plug ins after corrupting them.
4. Always keep your passwords long & change it every 3 months
Brute force attacks are widely known, in this Hackers apply exhaustive amount of passphrases to get the password right. If your password is really complex and you regularly update it every 3 months. Hacker has to start from scratch and you can escape this destructive attack.
5. Use security Add-ons from your hosting provider
Usually, the company you sign up with to host your website offers its own security features. For example, if you use HostGator, you can sign up for their “Security and Accelerate your site” add-on. It handles a few of fundamental security options.
6. Only use WordPress authorized plugins
There is ample number of plug-ins available for all functionalities of WordPress. But strictly avoid downloading and installing plugins that are not fom trusted WordPress Marketplace.
7. Stop being so careless when it comes to Access rights
Its imperative to assign authority to your website’s elements according to operator’s role. Only Admin can have the highest control. If you have freelancers or other contributors to your website, you can assign them permissions.
8. Secure hosting is a Must-have.
There are lots of hosting providers with varying prices. But look for the security measure your hosting provider implements. Do not go with Free hosting provider’s false claims about security.
9. Take regular Back up of your website
After taking all the precautions, it is wise to take regular back up of your website data. If your website is still corrupted by malicious users, you can restart the development and setup your website again. Taking last 2 versions of website can be enough. Do not keep all versions’ copy in your server as it takes up your valuable space for which you have paid an expensive amount.
10. Enhance security with WordPress File Permissions
All WordPress files should be 664. All folders should be 775. wp-config.php should be 660 or even better move it out of your WordPress public_html directory.