In order to beef up your wordpress security you need to pay attention to the the areas hackers target most often. And first on that list is the login page. This is because all WordPress websites have the same default address for their login page; /wp-admin. That means the hackers can go straight to that address and start trying to hack into it. So you need to change it. Use the ‘WPS Hide Login’ plugin and change the login page address. There’s your most important WordPress security issue resolved, and it’s a five minute job.
If hackers do get to your login page, you can generally keep them out buy limiting the number of login attempts they can make before being locked out. You can install the ‘Limit Login Attempts’ plugin, and set it up to lock people out for as long as you want, after as many failed login attempts as you’d like. There’s your second important WordPress security issue resolved. Download the plugin here – https://wordpress.org/plugins/limit-login-attempts/
Simple plugins like ‘Really Simple CAPTCHA’ (https://wordpress.org/plugins/really-simple-captcha/) is very widely used and allows you add a tick box so that users can verify they are human. This is a crucial element of website security and although at #3 here, it’s a crucial element of website security.
People often forget that the WordPress install its self is a website security issue and needs stop be kept up to date. As soon as you login, you will get an alert on your dashboard to tell you if the WordPress install is out of date. Don’t be afraid to follow the instructions and cross another job off your Website Security checklist.
Your plugins will need updating regularly. The more you have, the more of a website security issue they will become. So get in the habit of checking on them each week. When you login, you will get an alert on your dashboard, just the same as as above, telling you how many updates you need to do. Click on the ‘Plugins’ link down the left hand side of the Dashboard, then click the ‘update’ link on each one. Then cross another job off your Website Security checklist.
Most websites don’t need to have the Comments feature activated. I recommend switching it off as it allows external users to post comments which are often used to create backlinks to their own content. This is only a small website security issue, but worth avoiding to be on the safe side. These comments are also likely to have a negative effect on your website SEO over time as the links, if spam, are seen as toxic by the search engines. You can do this with another plugin called ‘Disable Comments’ which you can download here – https://wordpress.org/plugins/disable-comments/
Everyone is lazy when it comes to usernames and passwords. But when it comes to keeping your website intact, don’t take the chance. Use the password generator, or come up with an alpha-numeric password of your own.
If you think the username might be obvious. don’t use it. More on WordPress Security here
I prefer using Wordfence. Having tested a number out on the same site with known malware. I found Wordfence to be thorough and fairly easy to use. Like most antivirus programs, they take a bit of time to configure, but they’re a vital tool in wordpress security.