Here are the standard WordPress security procedures that you should make default:
- customize and rename the login page URL instead of using the /wp-login.php, /wp-login.php?action=r or /wp-admin/
- add security questions to the WordPress login screen
- enable two-factor authentication using https://wordpress.org/plugins/miniorange-2-factor-authentication
- secure the /wp-admin with cPanel Directory Privacy
- ensure that WordPress is not using the wp- table prefix during installation and that the database has a strong password that is at least 45 in length.
- the default “admin” username should never be used during the installation.
- chmod wp-config.php file to 0400
- disallow file editing by adding "define('DISALLOW_FILE_EDIT', true);" to wp-config.php
- ensure that directory listing is disabled with .htaccess
- block all hotlinking
- ensure that automatic update is enabled for the theme and plugin during installation. The WordPress version number should be removed.
- remove the WordPress version number using functions.php
- disable XML-RPC
- ensure that a plugin that limits login attempts and brute-force is installed. This can be achieved too with the right cPanel config.
- rotate WordPress security keys every 3 months (https://api.wordpress.org/secret-key/1.1/salt/).
- use Trusona (https://wordpress.org/plugins/trusona/)
- use SiteLock or cWatch to scan the website daily.
- or simply run the website via Cloudflare or Incapsula.
- and lastly, host your WordPress with Web Hosting Magic for the sweetest WordPress experience.
These, are more than enough to keep any WordPress installation from issues.
