Cyber Security – Hardening WordPress

As a WordPress designer, your focus is usually on the “front-of-house”—the typography, the user journey, and the pixel-perfect layouts. But in today’s digital landscape, a beautiful website is only as good as its defense. 

The challenge lies in the fact that security isn’t a “one-and-done” task. It is a continuous, layered process that starts at the server level and extends all the way to how a client logs in. From “nulled” plugins carrying hidden backdoors to brute-force attacks targeting weak passwords, the vulnerabilities are numerous. 

The goal is to move beyond basic maintenance and implement a rigorous, repeatable checklist—ensuring that every site we launch is as secure as it is stunning.

The WordPress Hardening Checklist

1. Hosting & Server Level (The Foundation)

Security starts before you even install WordPress.

• [ ] Choose Secure Hosting: Use Managed WordPress hosting (e.g., Kinsta, WP Engine) or a reputable Shared or VPS Hosting from hosting companies like https://leanna.ng. Avoid “bottom-shelf” shared hosting that lacks account isolation.
• [ ] PHP Version: Ensure the server is running PHP 8.3 or latest. Older versions do not receive security patches.
• [ ] SSL/HTTPS: Force HTTPS sitewide. Use Let’s Encrypt (usually free via host) and the Really Simple SSL plugin to fix mixed content. or Auto-SSL in cPanel.
• [ ] SFTP over FTP: Never use plain FTP. Use SFTP (Secure File Transfer Protocol) to encrypt your login credentials and file transfers.
• [ ] Web Application Firewall (WAF): Use a DNS-level firewall like Cloudflare to block malicious traffic before it even hits your server.

2. Authentication & Login Hardening

Most hacks are “Brute Force” attacks (guessing passwords). For ease, All of this section can be done from 1 plugin (ASE)

• [ ] Change Default ‘admin’ Username: Never use “admin”. Create a unique username and delete the original ID 1 user.
• [ ] Two-Factor Authentication (2FA): Mandatory for all Admin and Editor roles.
• [ ] Limit Login Attempts: Lock out IPs after 3–5 failed attempts.
• [ ] Custom Login URL: Move wp-login.php to a custom path (e.g., /designer-access-2026) using a plugin.
• [ ] Strong Password Policy: Enforce a minimum of 16 characters for all users.
• [ ] Idle Logout: Automatically log out users after 30 minutes of inactivity.

3. File System & Database Hardening

Locking the “back door” of your site. Do a monthly audit at least.

• [ ] Disable File Editing: Add define(‘DISALLOW_FILE_EDIT’, true); to your wp-config.php. This prevents hackers from editing your theme/plugins via the dashboard.
• [ ] Correct File Permissions: Folders should be 755 and files should be 644. wp-config.php should be 600.
• [ ] Change Database Prefix: Change the default wp_ prefix to something random (e.g., x7y2_) during installation to prevent SQL injection.
• [ ] Protect wp-config.php: Move it one directory above the root if your host allows, or use .htaccess to deny access to it.
• [ ] Update Security Salts: Generate fresh secret keys in wp-config.php to invalidate all current sessions if you suspect a breach.

4. Maintenance & Hygiene

Old code is vulnerable code.

• [ ] The “12-Month Rule”: Delete any plugin that hasn’t been updated by its developer in over 12 months.
• [ ] Remove Unused Themes/Plugins: Don’t just deactivate them; delete them. Deactivated code can still be executed.
• [ ] Update WordPress: Check for new updates and update them regular to patch any vulnerabilities.
• [ ] Automatic Updates: Enable auto-updates for Minor core releases and Security patches for plugins and themes.
• [ ] No “Nulled” Software: Never use pirated themes or plugins; they almost always contain “backdoor” malware.
• [ ] Disable XML-RPC: If you aren’t using the Jetpack or the WP Mobile App, disable XML-RPC to prevent a common brute-force vector.

5. Backups & Recovery

Security is never 100%. You need a “Safety Net.” so follow best practices.

• [ ] Off-site Backups: Never store backups on the same server as the website. Use Dropbox, Google Drive, or Amazon S3.
• [ ] Frequency: Daily backups are the minimum; hourly for e-commerce.
• [ ] Testing: Once every 3 months, try restoring a backup to a staging site to ensure it actually works.

Recommended Plugin Stack

Choose one from the “All-in-One” category to avoid plugin bloat.

Pro Tip for Designers: When you hand over a site to a client, create another account for them and downgrade their user role from “Administrator” to “Editor” if they don’t need to install plugins. This prevents them from accidentally compromising the site’s security.