This post is from 2019, it may be out-of-date. For up-to-date information try: How to secure WordPress
This post is designed to give an overview of some of the techniques for hardening or securing WordPress from malicious attacks and hacking. Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken.
Any customer information you store will be your first priority, not only has the user trusted you to store their information, in some counties you are responsible for what happens to information they give you. Hardening your site will help protect that information from hacks. Secondly keeping your site up-to-date and secure will reduce downtime and protect sensitive data like passwords or user information.
Since 2013 WordPress has supported auto-updating. Make sure your WordPress site is set-up to allow auto updates for minor releases - these are usually how WordPress will deliver most security updates. You should also consider enabling auto updates for everything.
Click into Dashboard > Updates to check the current status. It will list out all core, plugins, themes and translations that have available updates.
You should fist make sure that your site only uses verified plugins from trusted sources. Make sure any third party plugins you are using have been reviews and tested on the most recent version of WordPress. Avoid installing plugins downloaded from random websites - instead stick to plugins and themes from WordPress.org itself.
Two of the best security plugins:
As the name suggests All In One WP Security is a comprehensive solution for protecting your WordPress website. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
As you enable features and block vulnerabilities the plugin will keep a score so you can check how protected your website is.
Like All in One WP Security and Firewall WordFrence can help you protect your WordPress site. It also includes some additional features like Two Factor Authentication (2FA) for user accounts, and premium real-time security and firewall updates.
The WordFence dashboard allows you to check your protection levels and an outline of attacks blocked by the plugin.
Services like Cloudflare which can intercept traffic before it reaches your WordPress site. A Firewall will stop known malicious users from accessing your website.
Cloudflare is a DNS, security and content delivery network that will both help speed up and protect your website. Cloudflare works repointing your domain name through their servers allowing Cloudflare to monitor and improve traffic between your server and the user.
With Cloudflare set-up your site will be faster, it will automatically cache content on its own network to reduce the number of requests made to your server. This will also reduce your bandwidth usage as every request to your website will not automatically mean loading it from your own server.
Cloudflare will also filter out bot and malicious traffic, it can filter out users on old or outdated browsers, block or challenge users on known IP addresses or networks. The Firewall and DDoS protection features will ensure your site stays online at all times.
Most features are available free of charge, some are paid for.