WordPress powers nearly 28% of all websites on the internet. This makes it a special target for hackers, spammers, and malicious activities.

You can easily protect your site from hackers and malicious attacks by adding layers of security around your WordPress site. Start by adding iThemes Security and/or the WordFence plugins. Always keep your software up to date – this is one of the biggest causes of hackers getting into your site.

Avoid installing untrusted WordPress plugins and themes. Don’t forget to remove unused plugins and themes. Regularly backup your WordPress site – some hosting companies make daily backups of your site for you, but high volume hosting companies are not likely to do so, so you will have to do this on your own. Enforce strong passwords and usernames.

Use Two-Factor Authentication (2FA). Change or omit the “Admin” username. Limit login attempts. Monitor incoming attacks. Use SSL. Hide your WordPress version. Relocate or rename the login page. Use a secure hosting environment.

Secure the WP-Config file. The wp-config file contains your website’s base configuration details, like database connection information. To protect your wp-config.php file from intrusion, add the following code to your .htaccess file to deny access to anyone surfing it:
<files wp-config.php>
order allow,deny
deny from all
</files>

Please refer to Lesson 26 for more information.