I made this post as a security checklist for deploying new WordPress. The second reason why I made this is I don’t like installing too many plugins.
Almost all security guides require a ton of plugins which you don’t really need.
1. Change prefix for database
Then you are installing WordPress change default prefix wp_ to something else. Otherwise, it’s going to be easy to guess for a hacker.
2. Protect wp-admin
This is most important part of this checklist. Most of the WordPress websites are getting brute forced via wp-admin. You can protect the directory with .htaccess or control panel. For example, in Plesk Onyx you can protect your WordPress in a couple of clicks with “Password-Protected Directories”.
3. Don’t use default login “admin”
Don’t make it easy for a hacker to brute force you. Use unique login for your WordPress. If you have already installed WordPress you need to use Username Changer Plugin.
4. Disable file editing
WordPress has built-in file editor which you should disable. Anyone who will get access to this feature can easily modify any templates and plugins. Get used to editing files with FTP client and Sublime. Add next pile of code to wp-config.php to disable file editor.
5. Disable PHP File Execution
In some directories, you don’t need this function at all. Good example is /wp-content/uploads/ directory. To disable PHP file execution create a file with name .htaccess with your text editor and paste this code:
deny from all
After this save your code and upload it to /wp-content/uploads/ folder with any FTP client.
6. Keep WordPress, templates and plugins updated
All minor updates will be installed automatically. Other updates you have to approve manually. Good plugin vulnerability example is Contact Form 7. It was possible to make SQL injection. If you still have old version I highly recommend to update it.
7. Use fewer plugins
You have to worry less about vulnerabilities and updates for all plugins. Also, you will make your WordPress work faster and consume fewer resources.
8. Use strong passwords
Remember to use unique and long passwords for database & admin login. Lowercase/uppercase letters, numerals & symbols. Don’t use password managers to store your passwords. It’s over if the master password gets compromised.