Securing a WordPress site: a Continuous Journey
Recently (this mornign in fact, November 15th 2019) there was a discussion on LowEndTalk on How to Secure a WordPress Site. I had been thinking about writing down what I have learnt to far about managing a wordpress site. This question was just the trigger to put my thoughts together.
Excerpts from my post:
a. Wordfence is a good start, they by default force you to download .htaccess file even before you get started. Look into the Brute force settings- default has upper limit of 30. Set it to 5 or something lower.
b. Hidemylogin plugin changes the default login link to domain.tld/newurl from the default domain.tld/wp_admin. Good to keep the casual seekers away, who will then get a 404 error page or a customised messages.
c. Ironically, my first two points are about plugins, but in reality, we should absolutely minimise the number of plugins. Also, there are some great tutorials on changing the permissions for some files/ folders, making .htacess read only etc. (PITA if you are trying to run upgrades or modifying certain settings. but if you have access to web folder/ ssh, not really that painful)
Edit: I will add relevant links here as and when I update this post
d. Using a Content Delivery Network or CDN : Cloudflare is the most recommended, yes, but for media files any other will do (thanks to recommendations on LET- I am giving Bunnycdn a try). Also have subscribed to plans for Publit.io (from Appsumo) and Publist (from Pitchground)
User Bikegremlin on LET has also written a good post.