Rules For Securing WordPress Websites

Here are the standard WordPress security procedures that you should make default:

  • customize and rename the login page URL instead of using the /wp-login.php, /wp-login.php?action=r or /wp-admin/
  • add security questions to the WordPress login screen
  • enable two-factor authentication using
  • secure the /wp-admin with cPanel Directory Privacy
  • ensure that WordPress is not using the wp- table prefix during installation and that the database has a strong password that is at least 45 in length.
  • the default “admin” username should never be used during the installation.
  • chmod wp-config.php file to 0400
  • disallow file editing by adding “define(‘DISALLOW_FILE_EDIT’, true);” to wp-config.php
  • ensure that directory listing is disabled with .htaccess
  • block all hotlinking
  • ensure that automatic update is enabled for the theme and plugin during installation. The WordPress version number should be removed.
  • remove the WordPress version number using functions.php
  • disable XML-RPC
  • ensure that a plugin that limits login attempts and brute-force is installed. This can be achieved too with the right cPanel config.
  • rotate WordPress security keys every 3 months (
  • use Trusona (
  • use SiteLock or cWatch to scan the website daily.
  • or simply run the website via Cloudflare or Incapsula.
  • and lastly, host your WordPress with Web Hosting Magic for the sweetest WordPress experience.

These, are more than enough to keep any WordPress installation from issues.

Ref: Check here