This guide includes a number of WordPress post-installation steps to further improve the security of your site.

Suggested Plug-Ins

We generally recommend that you minimise the number of plugins you install - for a number of reason.

the more plugins, the more WordPress has to process to actually display your site - often resulting in a slower site.
the more plugins you use, the more likely you are to be exposed to an issue with a plugin being badly coded or have an issue that may result in your site being hacked
Always check that any plugins you do use are well supported and regularly updated and have plenty of good reviews

That said, the following plugins provide a layer of protection for your site that is well worth having.

Install a WordPress Application Firewall (WAF) - we suggest either WordFence (external link opens in a new window) or Sucuri (external link opens in a new window).
Both of these are well regarded and have a wealth of options built in that you can enable to enhance your site's security. They also have paid versions with additional features.
Add Two-Factor Authentication (2FA) - this adds security to the WordPress login - so that anyone attempting to login requires either a SMS text message authentication or a code from an app on their mobile phone.
WordFence (external link opens in a new window), mentioned above has 2FA options built in. An alternative would be Google Authenticator (external link opens in a new window) - which works alongside Authy (external link opens in a new window).

Updates to .htaccess

These snippets - which you can pick and choose from - harden and protect access to your site and it's files.

.htaccess files are special, for several reasons:

The full stop in front of their names makes them hidden - so if you're using cPanel File Manager you'll need to make sure you have view hidden files enabled.
They can be placed in any directory (just create a new file called .htaccess if it doesn't already exist) to perform actions on incoming requests to that and any sub-folders

But, be warned - .htaccess files are super-fragile - one misplaced full stop or other character could break access to your whole site. Make sure you always take a backup of the file before making any changes, so you can revert easily if there is ever and issue.

To use these snippets simply copy and paste the code blocks for those you'd like to implement into your .htaccess file. The .htaccess file for your site is found in the sites docroot (usually /public_html if you've setup WordPress in your primary domain). You can access and edit your .htaccess file using the cPanel File Manager.

The lines beginning # are comments to explain what the following lines do.

Protect your .htaccess file

# Deny access to .htaccess Order allow,deny Deny from all

Protect your wp-config.php file

# Block access to wp-config.php order allow,deny deny from all

Block access to your includes files

# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]

Disable directory browsing

# Disable directory browsingOptions All -Indexes

Block XML-RPC requests

​# Block any attempted XML-RPC requests order deny,allow deny from all
Was this article helpful?
Thank you!