Most of the time a website running WordPress is hacked the culprit is not WordPress, but of any silly misconfiguration that could be avoided during its development.
That’s the idea of this project: Being a checklist of actions that you should take to increase the security of your website. wp-config Change Security Key ( Generator provided by WordPress.org) Login Page Lockdown the login page for repetitive failed login ( Login Lockdown or iThemes Security ) Activate 2 factor authentication ( Google Authenticator for WordPress) Use email address to login instead of username ( Force Email Login) Rename the URL of your login page ( iThemes Security or directly on .htaccess) Remove login links from the theme (if there’s any) Use a strong password contaning uppercase, lowercase, numbers, and special characters on all accounts ( password generator) Change the passwords regularly Make the login error messages more generical (user/pass) ( tutorial) Administrative Panel Password protect the folder wp-admin ( unblock only the needed files) Keep WordPress up-to-date Do not create an account with username admin. If there is any, create a new Administrator account and delete the old one Create an Editor account and use it solely to publish content Implement SSL for the WordPress admin section Install any plugins to check file changes ( WP Security Scan, Wordfence or iThemes Security) Scan the website for viruses, malware, and security breaches Themes Keep the theme up-to-date Delete and remove unused themes Download and use themes only from reputable sources Remove the WordPress version from the theme ( tutorial) Plugins Keep all plugins up-to-date Delete and remove unused plugins Download and use plugins only from reputable sources Replace outdated plugins for alternative newer plugins Think twice before installing a ton of plugins Database Change the default table prefix ( tutorial) Schedule weekly backup of the database ( Backup WP, WP DB Backup etc. ) Use a strong password contaning uppercase, lowercase, numbers, and special characters for the database user ( password generator) Hosting provider Hire a reliable hosting provider Connect to your server only through SFTP or SSH Set all folder permission to 755 and files to 644 ( accourding to the Codex) Make sure the wp-config.php file is not accessible by others Remove or block via .htaccess the files license.txt, wp-config-sample.php, and readme.html Disable file edit via wp-config.php by adding the following code:
Prevent directory listing via .htaccess by adding the following code:
Options All -Indexes