Wordpress was originally designed for blogging. It is extremely important to additionally secure Wordpress post installation, as it is highly susceptible to nefarious attacks.
Below are free security measures to apply, which are adequate for most websites. There are lots of Wordpress security plugins available that you can pay a subscription for, which will apply further security measures, but some of the measures will be duplicates of those mentioned here. You should make a risk assessment as to whether you feel it necessary to pay a subscription for a 'fully encompassing' Wordpress security plugin for your website.
Firstly, it is important that Wordpress is kept up-to-date. To explain how this happens: Wordpress will auto-update the "core" (main software) itself for minor versions (minor versions cover bug/security fixes, which are imperative to keep your site secure), however, Wordpress will not upgrade to major versions, which bring new features and keep your site current as things progress forward. As an example, Wordpress will auto update from v5.0.2 to v5.0.3 (this is a minor update) but it will not auto update to v5.1.0 or v6.0.0, as this is a major update. However, if you used Softaculous to install Wordpress, it will keep an overall eye on your Wordpress core installation and update it for minor and major versions, so that you don't fall behind (major releases are made approximately every 4 months). You should get an email about it from your Wordpress site or from Softaculous. Softaculous will make a backup before it auto updates, just in case there is a problem. Therefore, upon receiving the notification email stating that your website has been updated, please check that your website is all OK and should there be a problem, please get in touch as soon as possible.
Keeping plugins and themes up-to-date is also important for security. Wordpress can now automatically update plugins and themes. Please see the official documentation on how to configure this: https://wordpress.org/support/article/plugins-themes-auto-updates/
I would recommend that you enable the auto update of the Loginizer plugin (see next step).
It is important to prevent against brute force login attacks on your Wordpress Admin control panel. The easiest way to prevent this is with a security plugin that detects, blocks and slows down attacks. If it is not already installed, please install the "Loginizer" plugin, developed by Softaculous. Please click here to find instructions on installing plugins. If you are using an alternative to Loginizer, please ensure that it is deactivated beforehand (and later removed).
No additional configuration of Loginizer is required, just install the plugin and it is 'ready to go'.
Once installed, as mentioned above, I would advise that you follow the steps to enable auto updates of the Loginizer plugin.
A very effective method that you can also take to prevent brute force login attacks is to change the URL (address) of the Wordpress Admin control panel. This is especially helpful if you find that you are receiving an overwhelming amount of brute force attacks. By default the Wordpress Admin control panel is located at: example.com/wp-admin but you can change it to: example.com/somethingelseunknown . A suggested plugin to make this possible is “WPS Hide Login”.
Only install Themes and Plugins from trusted sources. Wordpress has their own marketplace to find and install trusted themes and plugins from.
Please click here to find instructions on searching and installing plugins from the Wordpress marketplace.
Please click here to find instructions on searching and installing themes from the Wordpress marketplace.
If you do not find what you are looking for, take a look on Themeforest for trusted themes.
Set strong passwords for all Wordpress user accounts. Strong passwords are unique to your Wordpress site, at least 10-12 characters long, with a mixture of capital letters, lowercase letters, numbers, and special characters in the password - note the password down in a secure place (have you thought about using a password manager?).
Ensure that the Administrator user account is not the default set username of “admin”, which is easily guessable. It is not particularly easy to change the Administrator username if it does require changing, but it is made easier with Softaculous's Wordpress Security Manager. This is covered in the next step, but please also read the textual guidance on the linked to instructional page, if this applies to you.
If you installed Wordpress using Softaculous, then Softaculous should have randomly generated a strong password and a random username for your Administrator account - I recommend that you do not change these details. It is important to remember to keep any other Wordpress user accounts that you create secure (they do not need to have random usernames, but they do need to have strong passwords).
I would strongly recommend that you enable all of the Softaculous WordPress Manager Security Measures, as outlined in the instructions here: https://www.softaculous.com/docs/enduser/wordpress-manager-security-measures/
Guidance on the various security measures available is provided on the instructional page above, and the security measures should not cause any issues for customers using their Wordpress site as a portfolio website, rather than as a Wordpress blog. You may want to vary some of the security measures accordingly if you are using your Wordpress site as a blogging platform, however.
If you are not using your Wordpress site as a blogging platform, but rather as a portfolio website, then please disable the default option for comments to be made on posts: Login to your Wordpress Admin control panel > Go to Settings > Discussion > Ensure that the "Allow people to submit comments on new posts" (wording will vary between Wordpress versions) box is unticked, along with the other checkboxes in this area, as per the below screenshot. If you untick this box(es), scroll to the bottom of the page and then click the blue “Save Changes” button at the bottom.
It is also worth mentioning the measures that are taken as a web host to try and protect your website:
1. Working behind the scenes, is a product that provides real time Malware protection. It scans for suspected exploits, viruses and suspicious resources.
2. DDoS Protection is provided with your web hosting at a network level.
3. The server runs CloudLinux OS with CageFS isolation. This securely isolates your account from the other customers on the shared server. Additionally, CloudLinux allows you to run end of life versions of PHP (if this is necessary for your site), as CloudLinux will continue to patch them for security issues.
4. SSL Certificates are provided for free to use on your website (enabling https://).
5. Backups are taken at the server level, so you do not have to worry about this. They are separate/in addition to any backups that Softaculous takes when auto updating Wordpress.
Please note that whilst you can follow every step above to protect your Wordpress site, sadly, it has to be accepted that nothing online is impenetrable. Please bear this in mind when creating your site and considering the data that you intend to hold within it. Should the worst happen and your site is breached, backups are kept as a fall back (multiple backup copies are held), but any confidential information may have already been compromised by the attackers. AK Web Services cannot be held responsible for any loss or damage incurred from a breach of your website, their advice, or an inadvertent failure of backups.
If you would like to make your own offsite backups of Wordpress, I would recommend the plugin “Migration, Backup, Staging – WPvivid” - configure the plugin to send the backups to a cloud storage location that you own.