- use SFTP (Port: 22) to tranfer files
- scan for vulnerabilities using WPScan: https://wpscan.org/
- require 2FA for any users with 'Administrator' access
- give clients 'Editor' access and below
- revoke DROP, ALTER and GRANT privileges in MySQL database
- add
define('DISALLOW_FILE_EDIT', true);to wp-config.php - setup regular backups via installatron or preferred wp plugin
- setup firewalls at WordPress level (Wordfence), Web Application level and CDN (if required)
- remove WordPress version number from header
function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');
- subsribe to Wordfence's security alerts newsletter: https://www.wordfence.com/subscribe-to-the-wordfence-email-list/
- subscribe to wpvulndb.com's security alerts: https://wpvulndb.com/users/sign_up
- disable and delete all unnecessary plugins
- remove comments functionality (if not required)
- use source code change management system: git / GitHub
- add recaptcha to wp-admin login page: https://www.wpbeginner.com/plugins/how-to-add-captcha-in-wordpress-login-and-registration-form/