IMPORTANT!
Ensure you’ve taken a backup of your WordPress files and database before making any of these change
Log into your wordpress admin and see if there are any updates available for you. You can see this on the top left of the admin home page. If your design or 'theme' has been customised please make sure you check with your web designer to make sure the updates will not affect your site. The updates to look for are
1: update wordpress installation
2: update plugins
3: update themes (it is also an idea to remove unwanted themes too)
4: You should also install a security plug such as Sucuri (details are at the bottom of this page)
* Hide your WordPress login page from hackers
* Change your WordPress admin username if it’s set to the vulnerable default “Admin” user
* Harden your database against MySQL injection attacks
* Install a security plugin + implement some of its hardening options
To install these plugins log into your WordPress admin dashboard ( typically at domain.com/wp-admin ) and select Plugins > Add New and search by name.
Once installed ensure to click Activate before proceeding.
https://wordpress.org/plugins/rename-wp-login
Why? This plugin hides the WordPress default login page to mitigate a very common style of attack called “Dictionary”/”BruteForce”. By hiding the default login page bots, which crawl the internet, will be unable to run this attack on your website.
How? Once installed and activated, go to Settings > Permalinks, scroll to the bottom and set the new login page. Here we’ve set it to http://yourdomain.com/secret which will become our new WordPress login page.
https://wordpress.org/plugins/username-changer
Why? Unless changed during the initial install, your WordPress administrator login username is likely to be the default username “Admin”. This is the username used by bots in all WordPress dictionary attacks and is therefore a security liability we should address.
How? Once installed and activated, go to Users > Username Changer
and select the admin username from the dropdown menu. Change this to something memorable – as long as it isn’t admin our work is done. Here we’ve set it to “wpadmin”. You’ll have to log back into WordPress with this new username once it’s changed. The password will be unaffected.
https://wordpress.org/plugins/db-prefix-change
Why? All WordPress installs use a database to hold site data. Those databases contain tables which use the prefix wp_ followed by standardised database names eg. wp_users contains your website’s users and their passwords. Automated SQL injection scripts that attack WordPress sites use the default table names during their attacks. By changing the default table prefixes we remove this vulnerability.
How? Once installed and activated, go to Settings > Change DB Prefix and set the new prefix to anything with numbers or letters other than wp_. Here we’ve changed the prefix on all tables to catly_
Save and you should get a message confirming database tables have been renamed. Test your site and ensure there are no issues.
https://wordpress.org/plugins/sucuri-scanner
Why? Sucuri is a leading WordPress security plugin that alerts to brute force attempts, alerts of logins to your WordPress (via the admin’s email address) and has some very useful hardening options – amongst many other features.
How? Once installed, activated and Get API has been clicked, go to Sucuri Security > Hardening and select Harden on each option that’s available. We recommend leaving “Plugin & Theme editor” option unhardened while you’re working on the site. If hardened this will have to be reverted each time the theme or plugins are changed.
Test the site between each hardening option to ensure nothing has been affected. If anything has been go back into Sucuri and click Revert Hardening on whichever option affected the site.