About to launch a WordPress ORG site. First time. Here is a security list I came up with. Maybe someone can guide me here? Which things would be an overkill? Which features are not needed or done by plugins? I’m planning using Sucuri as my security service (cheapeast plan is enough I hope). WordFence is great too, but Sucuri seems more advanced. Correct me if I’m wrong.
Here’s the list:
• Keep all plugins, themes and WordPress up-to-date. Check every day. Create a backup before updating anything.
• Regulary scan for any malware or vulnerabilities.
• Use very strong passwords with 2FA for administrators. Usernames must be strong too.
• Restrict users’ permissions. Don’t keep unneccessary administrators or developers.
• Use automatic backups. Backup two copies to two hard drives, and one copy to the cloud drive. Do manual backups everyday (if plugin doesn’t do this already).
• If possible, avoid shared hosting (more dangerous, won’t create backups). Dedicated hosting is better.
• Use “Web Application Firewall” (WAF). Some hosting providers or plugins have this.
• If possible, load the security plugin before loading the website. ???
• Make sure the site is on SSL (HTTPS). Some hosting providers automatically does this.
• Limit the login attempts. Three tries.
• Not necessary, but if needed, disable the access to code editor.
• Disable unnecessary PHP files executions via FTP. Save a specific file as .htaccess and upload it to wp-content/uploads. ???
• Change the database’s table names by removing the wp_ prefix.
• Secure the /wp-admin page with passwords.
• Disable directory browsing on the website via FTP or cPanel.
• Disable XML-RPC file. This is also being done by the firewall. ???
• Automatically log out idle users.
Some lines here are marked with “???”. So I would be glad if someone gave me more information about how to know which PHP files are not needed and can be prevented from execution? When XML-RPC is not needed? How to load security or firewall before loading the website?
[ad_2]