WordPress Security: 20 Critical Controls for Production

1) Change the admin username from 'admin' (update user_login via phpMyAdmin). 2) Strong password + mandatory 2FA — Wordfence 2FA or Google Authenticator plugin. 3) Rate-limit /wp-admin and /wp-login.php (Wordfence or Limit Login Attempts Reloaded). 4) IP allowlist for admin (.htaccess or Cloudflare Access). 5) wp-config.php: WP_ALLOW_REPAIR=false, DISALLOW_FILE_EDIT=true.

These five controls stop ~70% of WordPress attacks. Brute-force bots typically give up in 10-15 minutes and move on.

6) DELETE unused plugins and themes (deactivated is not enough — code is still on disk). 7) Only install plugins with 1M+ downloads and updates in the last 3 months. 8) Never use nulled plugins/themes — 90% contain backdoors. 9) Enable auto-updates (core + minor). 10) Major upgrades go through staging first.

Fewer plugins = lower risk. Average WP sites run 20-30 plugins; keep it under 10.

11) Change DB prefix from 'wp_' to something custom (wp-config.php). 12) Minimize DB user permissions (SELECT, INSERT, UPDATE, DELETE — no CREATE/DROP). 13) Disable PHP execution in wp-content/uploads/ via .htaccess.

14) Regular DB backup — UpdraftPlus or BackWPup plugin, weekly full + daily incremental, offsite (S3, Drive, Dropbox) + monthly restore tests.

15) A WAF is mandatory: Cloudflare free plan suffices, or Wordfence / Sucuri. 16) SSL/TLS: Let's Encrypt, TLS 1.2 min, HSTS preload. 17) Security headers — security.io or Really Simple Security plugin one-click. 18) Key-based SSH only (password SSH disabled), root login disabled.

Cloudflare's free plan gives DDoS protection, basic WAF and rate limiting — an excellent first line for WordPress.

19) File integrity monitoring — Wordfence Premium or Sucuri tracks hashes of core + themes + plugins and alerts on change. If an attacker drops a web shell you know in 5 minutes.

20) Log monitoring — pipe access_log + error_log to Grafana or ELK, alert on unusual patterns (404 storms, hits to admin paths, SQLi signatures). VefaSec offers this as a monthly retainer for WordPress clients.

Hacked? First step: take the site offline (maintenance mode isn't enough). Reinstall WordPress core (matching version). Delete all plugins and themes, reinstall clean versions. Scan wp-content/uploads for web shells. Check wp_users for rogue admin accounts.

Rotate all passwords (WP admin, FTP, DB, hosting panel). Diff against a clean backup to identify modified files. Wordfence's free scanner helps hunt backdoors. VefaSec emergency hotline: cleanup and hardening within 4 hours.