In any website developed with WordPress, it is crucial to consider security to prevent cybersecurity attacks that could be very harmful to your business. We explain the most important points to take into account to strengthen the security of your site:

Secure passwords

Always use strong passwords, those suggested by WordPress or create them with a password generator.

Forcing users to use strong passwords
Use uppercase, lowercase, numbers and symbols (if you can include the ‘ñ’ character, it makes it more difficult for cybercriminals to crack the password).
Don’t use the same password for other websites or applications.
Use of 2FA(Two Factor Authentication)

2FA Two factor authentication

With this method, we verify access by means of an additional code sent by email or an application to ensure that it is the user who has entered the password and not someone else.

For this there are several plugins and options that allow us to activate this functionality:

Plugins for 2FA

These use various systems such as email, backup codes, Google Authenticator or Authy. Normally, we use Google Authenticator, although any other compatible application can work. You have to download the APP on your mobile, and after installing the plugin scan the QR Code that it gives us when accessing the configuration of these plugins. Some options of plugins to implement 2FA in your WordPress:

htaccess configuration

Lock WordPress root file permissions

<files wp-config.php>
 deny from all
</files>
<files readme.html>
 deny from all
</files>
<files license.txt>
 deny from all
</files>

Disable PHP in the uploads folder. No PHP files should be executed in this folder. To avoid this, we can add an .htaccess file in the /wp-content/uploads/ folder with the following code:

<Files *.php>
 deny from all
</Files>

Change or protect access to wp-admin directory

Add additional password to WP-ADMIN access. First we have to create the .htpasswd file with the username and password, we can use the HTPassword Generator tool for this, and we upload this file, if possible in a non-public folder, it depends on the hosting, but normally outside the folder (public, www, https or similar). Then edit the .htaccess file in the /wp-admin/ folder and add the following code:

<Files wp-login.php>
 AuthType Basic 
 AuthUserFile /RUTA DONDE SE HA SUBIDO EL FICHERO/.htpasswd
 AuthName "Acceso restringido"
 require require valid-user
</Files>

Hosting

The hosting where we have hosted our website is essential for the security and performance of our website, it is important to choose a good hosting provider. Factors to take into account to select a good hosting provider:

SSL Certificates
Firewall
Automatic backups
System updates: control panel, PHP versions, MariaDB…
Malware Monitoring
Server location
Server-side cache
CDN
Resources required: CPU, RAM
PHP and MySQL support
Quality technical support and fast response time

Database

Make sure that the connection to the database is made only from the same server, unless it is necessary to allow external connections.

Use a prefix other than wp_ when creating database tables.

File permissions

Normally, this is already correctly configured by hosting providers, but we recommend verifying that permissions are set to 755 for folders and 644 for files.

We recommend changing the .htaccess and wp-config to 444, once this is done these files cannot be modified by any plugin, it will be necessary to change the permissions again if we need to, but once the modification is done it is better to leave them again to 444.

Firewall and CDN

Although we have firewall at the server level, in some projects we may need more security and implement a more advanced firewall with a CDN. For this we recommend Cloudflare, the free version is quite complete and then you have the paid plans if you want more options.

wp-config file

The wp-config file has defined parameters necessary for the operation of our website, additionally we can add or modify some of them to reinforce security.

Avoid changing the site URL

Here we force that the URL of the site cannot be changed, this avoids problems if a user with access modifies it by mistake and leaves the website down:

define('WP_SITEURL', 'https://www.misitio.com');
define('WP_HOME', 'https://www.misitio.com');

Security Keys

Use the WordPress Security Keys, you can generate them with the WordPress Salt Generator tool. Example result:

define('AUTH_KEY',         'JNi2Dv_t%_W+gV{nK4Vv`uK*M*6[OtlJ#rP$(f9DG0z?P0^y09XL4o(S9L^~1zX<');
define('SECURE_AUTH_KEY',  'WE`D@muXcUptpCLiwe+|th)-R+)Q,l]mCh2dADLV6-u;acFH6HTvKB>x{9CYW#Ri');
define('LOGGED_IN_KEY',    'yF&TWBe~q<6kJv`[XYrkH>j0U.[;:vZNpXE`G~(Z5-1@-&0 %JuQdp+HhZiYCV$1');
define('NONCE_KEY',        'h!Q$4RH68xQm8kUa^Qp wpSm<+K5K-wy1FiID~|Has$D1@KK^7+E+4H9#4r7ynEl');
define('AUTH_SALT',        'D*=w-_k&X^HHeE+0Oi.hpuf*Dh#qXr28+J1C-D6}zZhG[L(|1B+Z6}8yrU!>8sJP');
define('SECURE_AUTH_SALT', 'sXUpJg(7U1?^]kgg|`(%H.RFmxNb|[#F^|i&yTz^s|[C _Y=o#I SHamv;@K@AV0');
define('LOGGED_IN_SALT',   'q>|}s{PB/|/z|[7)sqDY[X#E%)5NldUqsgga;w>K@akygw%eTD^$7_Gke28fgv>d');
define('NONCE_SALT',       'oCv_Z^v*QkS+s)t7q>np?Bv`2n7l`pRidTQbD8CV[-gBeFgBPrch?ZD3`|*jvEG3');

Force the use of SSL

It is necessary to install an SSL certificate for users to browse securely, this should be provided by our hosting where we have the website. If we want to force it in our WordPress, so that users can always browse our website with https, we can do it by adding these lines in the wp-config file:

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Security plugins

Security plugins make it much easier to implement some of the security measures mentioned above. Although I only recommend their use in some specific cases and always have them updated to the latest version (activate automatic updates). Here are some of the most popular ones:

Wordfence
SolidSecurity
All In One WP Security Firewall
iThemes Security
Sucuri Security

These plugins can be quite cumbersome and often duplicate functionality that we can easily implement with a few lines of code or that may already be present in our hosting.

Web maintenance

Lo más importante para tener un sitio seguro es que este lleve un buen mantenimiento web: The most important thing for a secure site is that it is well maintained:

Update WordPress and plugins regularly
Updating PHP and database version when recommended by WordPress
Ensure backups are being performed
Have the site monitored for downtime
Alerts when a plugin has vulnerabilities to update as soon as possible
Perform regular malware scanning
Check that the website sends emails

Conclusions

Although many more measures can be taken to increase security, we have mentioned some of the ones we consider important. It is not necessary to implement all of them and it will depend on each project and its particularities, which ones are better to implement and which ones need some more advanced configuration.

If you have limited knowledge to implement these tasks, we recommend hiring a professional expert to advise you and apply these settings. You can contact us to help you set up your site more securely.