WordPress is the most popular content management system and website builder. That’s the reason why it is also the most attractive platform for bad guys and malicious plugins who target the WordPress platform.
There is never a 100% guarantee that your site can not be hacked but there are some common steps you should go to ensure the integrity of your data and to secure your site as good as possible.
This is no complete guide for hardening the security of your WordPress website but applying these rules to your website will make your WordPress website very save. Even if it gets hacked you are able to restore your site quickly.
BACKUPS – Rule #1
- Make a daily backup which helps you to bring back your website to an older time point.
WEBHOST – Rule #2
- Select a trusted and reputable web host who focuses on security and uses only up to date software. For instance: Never use a web host who does not offer PHP 7.X
REPUTABLE PLUGINS – Rule #3
Use only good rated plugins and themes which have a good reputation.
The only official repository for WordPress plugins and themes is https://wordpress.org/plugins/
If you get plugins or themes from other sources test them first carefully on a development site.
STRONG ACCESS CREDENTIALS – Rule #4
Use a strong login password with a good minimum length and special characters in it. Also, mix up numeric and alphabetical characters and switch uppercase and lowercase.
FILE PERMISSIONS – RULE #5
Choose correct file permissions.
A general rule of thumb for permissions in WordPress is:
- Give all folder the permission 755
- Give all files the permission 644
You can do this from within FTP. For instance by using the FileZilla FTP client.
You can even lower the file permissions for the WordPress config file wp-config.php to 440.
There are many more advanced options to increase the security of your WordPress website which you can read here:
https://wordpress.org/support/article/hardening-wordpress/