➡ strong passwords
➡ disable/tweak login messages
➡ lockout after x malicious attempts for time y
➡ disable XML-RPC if not needed
➡ restrict REST-API access
➡ consider geoblocking where feasible
Update, Update, Update!
• autoupdate for minor core updates ✅
• update plugins and themes ASAP ⏰
• critical infrastructure: have a staging system 🎭
• check functionalities after update 🚀
• premium: renew your subscriptions 💸
wp.org Stuff Only!
• use themes and plugins from wp.org repo only
• avoid "premium" plugins and themes
• never ever use doubtful sources
Remove Unused Stuff
• uninstall themes and plugins not actively used
• keep the recent default theme for fallback
• disabled plugins are still accessible
• server up and running
• malicious login attempts
• changed/added/deleted ﬁles
• user actions
• malware detection
• changes in UI after updates
Raise the Barrier
• get a free SSL certiﬁcate with Let's Encrypt
• Multi-Factor Authentiﬁcation (MFA)
• very simple via eMail
• more sophsticted: Google Authenticator, Duo,
• extra hardware: UbiKey, Fido U2F
• randomize version number
• change db-preﬁx
• renaming of /wp-content folder
• hide login window
• hide WordPress at all
Let's Get the
• how secure is your local client?
• Do you still use FTP?
• change to SFTP or FTPS (SSL/TLS)!
• PW submitted via eMail?
• eMail is without encryption = postcard
• you don't want to have a backup,
➡ you want to have a restore!
• timed & regular, automatic, off-site
• both database and ﬁles
• practice restore
🔒 harden your installation
✅ update, update, update
ⓦ use themes and plugins from wp.org repo only
🚫 remove unused plugins and themes
🔭 monitor your site(s)
🚨 have a backup
• Chose the right hoster
• Limit access rights
• Have a SSL Certiﬁcate
• Disable FileEditor