The following is a 10 point mandatory control that will mitigate risks associated with running WordPress (WP) as a content management system (CMS). Being an open source (free) CMS solution based off PHP and MySQL, as reported by W3Techs WordPress is being used by 27.5% of the top 10 million websites as of February 2017, it is arguably the most popular CMS solution in use on the Web.
This popularity has made it a major threat target for actors with malicious intent. WordPress vulnerabilities have been widely reported, for instance in 2007 many website running WP and using AdSense were targeted and attacked with a WP exploit, recently, January 2017 a vulnerability was found that could allow unauthenticated users to modify posts or a page in WP versions 4.7 or greater, this was quickly patched in version 4.7.2.
While steps 2-10 below can be performed manually, if you are not that technically inclined, simply purchase a purpose built security plugin, and use their best practices to protect your site, tools such as WordFence Security Premium, iThemes, BulletProof Security and Loginizer Security will do the trick.
Update WordPress to the latest version always
Update All Plugins
Delete unused plugins
Delete the ‘admin’ account.
Create a new admin user, grant said user admin rights, login with new admin account and delete the ‘admin’ user
Move the wp-config.php file.
Move wp-config to the root folder from the /wordpress folder
Hide wp-config and .htaccess
Add the following to .htaccess to protect wp-config.php
deny from all
Use the following code in .htaccess
deny from all
Prevent search engines from indexing the wp-* folders
Hide the contents of the plugins folder
Hide WordPress version, but be wary, security through obscurity is not a good mitigation strategy.
Limit login attempts
Perform regular daily backups of the web server and MySQL database