#3. Don’t let others “Write” to your WordPress directory

Login to your WordPress Linux shell and execute the accompanying order to get a rundown of every single “open” directory where whatever other client can write files.

find . -type d -perm -o=w

You may also want to execute the following two commands in your shell to set the right permissions for all your WordPress files and folders (reference).

find /your/wordpress/folder/ -type d -exec chmod 755 {} \; find /your/wordpress/folder/ -type f -exec chmod 644 {} \;

For indexes, 755 (rwxr-xr-x) implies that just the owner has write permission while others have read and execute permissions. For records, 644 (rw-r–r–) implies that document owners have read and write permissions while others can just read the docume

#4. Rename your WordPress tables prefix

In the event that you have introduced WordPress utilizing the default choices, your WordPress tables have names like wp_posts or wp_users. It is along these lines a smart thought to change the prefix of tables (wp_) to some arbitrary worth. The Change DB Prefix plugin lets you rename your table prefix to any other string with a click.

#5. Keep clients from browsing your WordPress directories

This is essential. Open the .htaccess document in your WordPress root index and include the accompanying line at the top.

Options -Indexes

It will keep the outside world from seeing a posting of documents accessible in your catalogs in the event that the default index.html or index.php records are missing from those registries.

#6. Update the WordPress Security Keys

Go here to produce six security keys for your WordPress blog. Open the wp-config.php document inside the WordPress registry and overwrite the default keys with the new ones.

These irregular salts make your put away WordPress passwords more secure and the other point of preference is that on the off chance that somebody is signed into WordPress without your insight, they will get logged out quickly as their treats will get to be invalid at this point.

#7. Keep a log of WordPress PHP and Database errors

The error logs can once in a while offer solid clues on what sort of invalid database inquiries and record solicitations are hitting your WordPress establishment. I incline toward theError Log Monitor as it intermittently sends the error logs by email furthermore shows them as a gadget inside your WordPress dashboard.

To empower error signing in WordPress, add the accompanying code to your wp-config.php document and recollect to supplant/way/to/error.log with the genuine way of your log record. The error.log file should be placed in a folder not accessible from the browser (reference).

define('WP_DEBUG', true);
if (WP_DEBUG) {
 define('WP_DEBUG_DISPLAY', false);
 @ini_set('log_errors', 'On');
 @ini_set('display_errors', 'Off');
 @ini_set('error_log', '/path/to/error.log');
}

#9. Secret key Protect the Admin Dashboard

It is dependably a smart thought to secret key protect the wp-administrator envelope of your WordPress since none of the records around there are expected for individuals who are going to your open WordPress website. Once protected, even approved clients will need to enter two passwords to sign into their WordPress Admin dashboard.

#10. Track login action on your WordPress server

You can utilize the “last – i” charge in Linux to get a posting of all clients who have signed into your WordPress server alongside their IP addresses. In the event that you locate an obscure IP address in this rundown, it is unquestionably time to change your watchword.

Additionally, the accompanying order will demonstrate the client login action for a more drawn out timeframe assembled by IP addresses (supplant USERNAME with your shell client name).

last -if /var/log/wtmp.1 | grep USERNAME | awk '{print $3}' | sort | uniq -c

Monitor your WordPress with Plugins

The WordPress.org repository contains quite a few good security related plugins that will continuously monitor your WordPress site for intrusions and other suspicious activity. Here are the essential ones that I would recommend.

  1. Exploit Scanner – It will rapidly filter all your WordPress records and blog posts and list the ones that may have noxious code. Spam connections may covered up in your WordPress blog posts utilizing CSS or IFRAMES and the plugin will distinguish them also.
  2. WordFence Security – This is a to a great degree capable security plugin that you ought to have. It will contrast your WordPress center records and the first documents in the archive so any alterations are in a split second distinguished. Likewise, the plugin will bolt out clients after “n” number of unsuccessful login endeavors.
  3. WP Notifier – In the event that you don’t login to your WordPress Admin dashboard time and again, this plugin is for you. It will send you email alarms at whatever point new updates are accessible for the introduced themes, plugins and center WordPress.
  4. VIP Scanner – The “official” security plugin will examine your WordPress themes for any issues. It will likewise distinguish any promoting code that may have been infused into your WordPress formats.
  5. Sucuri Security – It screens your WordPress for any progressions to the center records, sends email notices when any document or post is updated furthermore keeps up a log of client login action including fizzled logins.

Tip: You can also use the following Linux command to get a list of all files that have been modified in the last 3 days. Change mtime to mmin to see files modified “n” minutes ago.

find . -type f -mtime -3 | grep -v "/Maildir/" | grep -v "/logs/"