Following are some general recommendations to enhance security of a WordPress website.
- Use a security plugin e.g. Wordfence (if not already installed) and make sure that it’s updated to the latest version. Following is a short summary of recommended Wordfence settings:
- Make sure that the “Enabled and Protecting” mode is enabled after the “Learning” period is ended.
- In “Protection Level”, make sure to optimize the Wordfence firewall by enabling the Extended Protection mode.
- Upgrade the plugin to the premium version to enable the “Real Time IP Blacklist” feature to protect the website from malicious activities using the updated and latest database.
- The other default firewall settings are good to start with. These options can be changed in specific scenarios.
- The recommended scan type for most of the cases is “Standard”. The other options can be used in specific scenarios.
- Make sure to upgrade the plugin to the premium to use the latest malware signature during the scans. The free version of the plugin updates the malware signature list after 30 days.
- Moreover, the premium version enables the Reputation Checks (recommended) for ‘spamvertising’, spam identification and domain blacklist checking.
- Make sure the issues reported in the scan results are fixed.
- Wordfence tools like live traffic, whois lookup, import/export and diagnostics are really helpful in diagnosing the website’s traffic, IP address identification, sharing the Wordfence settings among WordPress websites and diagnosing the plugin conflicts or configuration issues respectively.
- Wordfence provide login security tools like Two Factor Authentication (2FA) which is the latest and most secure form of authentication and Google reCaptcha to protect the forms from bot attacks.
- Make sure that WordPress core, theme(s) and plugins are updated to the latest versions
- Make sure that PHP, MySQL and nginx are updated to the latest stable versions. There may be certain issues after updating the PHP version of the website. Please refer to this blog post about Important points to consider before and after updating PHP version for WordPress website
- IP Restriction at nginx level can also be applied to restrict access to the WordPress admin dashboard
- Remove all inactive theme(s) or plugins from the website
- Make sure that properly licensed themes and plugins are installed/activated on the website
- Visit Tools -> Site Health to see if there are any major issues reported to be fixed