Hey fellow WordPress enthusiasts,
I've recently implemented a bunch of security protocols on my WordPress site to try and make it as secure as possible. Here's a rundown of what I've done:
I've installed the Inactive Logout plugin to automatically log out users after a period of inactivity. This ensures that if a user leaves their session open without logging out, the session will automatically expire after a set time.
I've also taken steps to prevent directory browsing, which can expose sensitive information about my site's structure and files.
To protect my site's data, I've set up automatic backups through UpdraftPlus. This allows me to restore my site to a previous state if something goes wrong, such as during a security breach or after an update that causes issues.
I've also installed the Sucuri Security plugin, which includes features such as malware scanning, monitoring for security-related events, and implementing security hardening measures like disabling file editing and PHP execution.
To secure my login page, I've implemented several measures, including:
- Limiting the number of login attempts
- Implementing two-factor authentication through the miniOrange Two-Factor Authentication plugin
- Adding security questions for an additional layer of protection
- Changing the default WordPress login URL to something unique using the WPS Hide Login plugin
I've also taken steps to protect my site from SQL injection attacks by changing the database prefix from the default "wp_" to something custom.
To monitor and log user activity on my site, I've installed the WP Activity Log plugin. This allows me to see who made specific changes and when, which is useful for auditing purposes and monitoring suspicious activity.
I've also activated Jetpack to further secure my site, which includes features such as brute force attack protection, downtime monitoring, and automatic backups.
Finally, I've used the Members plugin to manage user roles and capabilities more effectively, and the User Switching plugin to switch between different user accounts without logging out.
I'm feeling pretty good about the security of my site, but I'm always looking for ways to improve. Has anyone else implemented any security protocols that I haven't mentioned? Are there any other plugins or services that I should be using to keep my site secure?
I'd love to hear from anyone who has any experience with WordPress security. What am I missing?
Did you secure your server? Or is it shared hosting?
Have you blocked restAPI and xml-rpc?
Disabled user enumeration?
Limit file write privileges and block php from running in unnecessary folders?
Do you have a server side firewall?
Configured Cloudflare?
If you use Cloudflare, put your admin area behind Zero-Trust Network Access.
You don’t need any of this, maybe the backups, but your hosting platform should lock down most of what you’d be worried about. Any sensitive data that would be worth anything is stored in a secure format anyway. You’ve added a whole bunch of plugins for stuff that could be implemented with a couple lines in your functions file. Stuff you really don’t need anyway.
I hate to break it to you, but if you’re on reddit bragging and giving us details about your setup then your site is definitely not important enough to be targeted. You’re krill in an ocean full of whales who would be much more worth a hackers time.
Bot
You call that Security ? By the way, what Webserver are you using ? If you are using Apache, let me know and I will send you real security measures, that I have compiled over the years in the form of code snippets for htaccess.
Virtually all WP sites are hacked via plugin vulnerabilities, generally due to not updating them frequently or abandoned. Keeping them updated and removing anything that hasn’t received an update in 9+ months (as well as using strong passwords) is pretty the only thing you actually need to do to keep WP secure – everything else is just smoke and mirrors.
^(For the pedantic people who can’t help themselves… notice that I said “)*^(virtually)* ^(all”, not all.)