Essential Security Steps
Keep Everything Updated
# WordPress core, themes, and plugins should always be current
# Enable automatic updates in wp-config.php:
define('WP_AUTO_UPDATE_CORE', true);Secure wp-config.php
# Move above web root if possible, or restrict access
# Nginx:
location ~ /wp-config\.php$ {
deny all;
}
# Apache (.htaccess):
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>Disable File Editing
# In wp-config.php — prevents editing themes/plugins from admin
define('DISALLOW_FILE_EDIT', true);Change Login URL
Use a plugin like WPS Hide Login to change /wp-admin and /wp-login.php to a custom URL, reducing brute force attacks.
Limit Login Attempts
- Install Limit Login Attempts Reloaded plugin
- Or use Fail2Ban with a WordPress jail
Security Headers
# Add to Nginx server block
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;File Permissions
find /var/www/wordpress -type d -exec chmod 755 {} \;
find /var/www/wordpress -type f -exec chmod 644 {} \;
chmod 600 /var/www/wordpress/wp-config.php