Securing your WordPress website is no joke, but it’s a topic that’s easily ignored when your site is up and running without issue. It’s usually not until after the damage has already been done that website owners start considering implementing some WordPress security best practices.

I’ve been incredibly fortunate to not deal with a WordPress security crisis yet (fingers crossed it stays that way!). I’m sure it’s been a lot of plain good luck, but I’ve also been placing a much stronger emphasis on security across all the sites I manage lately.

Here’s a list of 10 WordPress security must-dos when setting up or starting to maintain a new WordPress site.

Update to the latest versions of WordPress, theme, and plugins

WordPress core is updated regularly to address any new security vulnerabilities. By simply updating to the latest version, you can greatly reduce your chances of being attacked. The same thing goes for your theme and plugin files. New versions are released regularly for security and compatibility reasons, so keeping these up to date is another security best practice—and a fairly easy task to complete regularly.

Make sure you set strong passwords for all users

Some WordPress vulnerabilities are just too easy to avoid. Ensuring that all of your users have a strong password set is one of them. Your goal when setting a user password is to make it difficult for someone to guess. This makes a brute force attack much more difficult.

Disable the user file editor in WordPress

By default, WordPress gives users the ability to edit theme and plugin files through the admin. This can be useful, but even an innocent typo could get you locked out of your site and cause unnecessary headache. This is especially true if you have a client responsible for managing some of the site’s content. I like to remove this ability altogether by adding a simple line to my wp-config file: define(‘DISALLOW_FILE_MODS’,true).

Change your admin login address

One of the most common hacker attempts to penetrate a site involves running a script to attempt to login from the default wp-admin page. A simple workaround for this potential problem is to change the default login URL. You can achieve this quickly by using a plugin like WPS Hide Login.

Use SFTP instead of FTP access

FTP is the same thing as SFTP, except that your password and anything else sent is encrypted during its transmission. When you use SFTP, your password will never be sent clearly and it can’t be intercepted by an attacker. You can typically set this up when you create a new user from your hosting account. If you can’t find the option to create an SFTP user, contact your hosting provider.

Set the correct file permissions

Sometimes it might be necessary to allow write access to some of your WordPress files or folders. However, this can potentially be dangerous—especially in a shared hosting environment. It’s best to lock these file permissions down as much as possible to make it more of a challenge for hackers to potentially attack your site. Rather than going in-depth here, this is a great resource that goes into WordPress file permissions in great length.

Change your WordPress database prefix

Another incredibly simple WordPress security precaution: simply change the database prefix on your site from the default “wp_” to something else of your choice. Potential attackers know that “wp_” is the default install, so they can attempt to run scripts to target these default table names in your database. Changing this prefix can make this type of database attack much more difficult.

Prevent multiple login attempts

Brute force attackers will run a script that will try to repeatedly guess your username/passwords. A simple way to prevent your site from falling victim to this is to install a plugin that limits login attempts. Wordfence Security is a favorite of mine: it allows you to not only limit login attempts, but comes equipped with tons of other security features that really help to lock down your site.

Monitor website activity

I like to have a security audit log installed on my WordPress sites so I can always stay on top of who is going in and out, making changes, etc. This is primarily so that in the instance that some unusual or questionable activity occurs, I can spring into action immediately. Something like WP Activity Log works well and is totally free.

Always have a backup

In the unfortunate instance that something does go wrong with your site, your first priority will surely be to get everything back up and running as quickly as possible. Since no site can ever be 100% secure, it’s vital to have a full, recent backup of your site readily available at all times. Invest in a powerful backup tool such as BackupBuddy, Jetpack Backup, or schedule manual backups yourself to be taken at least a couple of times per month.

Other resources

Here are a few additional resources on beefing up your WordPress security:
WordPress Security: The Ultimate Guide
Hardening WordPress