When it comes to securing your WordPress site there are many ways to go about doing just that. Please allow me to outline a few basic things that can be done to help secure your site outside of having a secure hosting provider for your WordPress site.
Choosing a Host
As mentioned the first thing you want to do is find yourself a reputable host that provides a real managed environment. Sure there are tons of fly-by-night companies out there offering “Managed WordPress Hosting” but are they really? Over the years marketing departments have realized that advertising that they offer a Managed WordPress hosting solution is a way to bring in customers, even though they are running the same old cPanel or Plesk servers, but chalking it up to something else.
When it comes down to it the saying “you get what you pay for” really rings true in this space. Spend a little extra to get a REAL Managed WordPress host to host your WordPress site, as they have not only likely optimized their platform for performance when it comes to WordPress but also have certainly secured their platform using the best practices surrounding WordPress.
Setting a password
While everyone likes to use a password that they can remember, it is not always wise to use your pet’s name, street address, or your mother’s maiden name as a password. Find yourself a decent password manager such as 1Password to generate a secure password that is unique for your WordPress site. Doing this is one of the most basic first levels of defense when setting up your account as it can help curb brute force password hacking attempts.
Selecting a theme
Choosing a theme from a reputable source is always a plus when it comes to site security. While in most cases a hacker is not going to exploit a theme to gain access to your site, it is still a possible entry point even if again it is rare. I always mention that choosing a theme from an Agency is going to be better than a random theme from Themeforest or the WordPress theme repo as you just never know the skill level of the person(s) that created the theme. For all you know it was created by a kid for their high school computer class where they were just learning to program, as for an agency or theme developer counts on this for their livelihood so you can assume it will be more secure, or updated on a more frequent schedule to patch any security issues that might have been discovered.
Choosing your plugins
As mentioned with choosing a good theme, the same can be said about the plugins that you want to install on your site. I always as a rule of thumb try to only use premium plugins when possible as again there is usually someone behind these depending on the plugin being secure and performing well so they can put food on their table. Of course, don’t get me wrong there are many smaller free plugins that add some sort of additional functionality to your site that you require and there is just no way around it. Just make sure to keep in mind, do you really need 80 plugins installed on your site? some that have not been updated in months or years even?
Every plugin that you install on your site(s) allows for an additional point of entry/attack by a would-be hacker. People are always complaining about how WordPress is so insecure and easy to hack when in reality WordPress itself is pretty dang secure, but when you start adding in a bunch of plugins you are adding in other functions that could possibly be exploited. On all of my sites, I routinely log in and check out my installed plugins and see what I can remove or possibly replace to always keep them on the newest most maintained code.
Do you really need a security plugin with a Managed WordPress host? Likely no, as they have taken the time to lock down their platform in order to prevent hack attempts such as including Cloudflare, a secure proactive firewall, fail2ban, monitoring, etc. Though there is almost MORE that can be done, take iThemes Security which I think is a fantastic plugin. This plugin adds a lot of other bells and whistles that many hosts can not include in the platform such as two-factor authentications, for instance, in-depth logging, email notifications on file edits or logins.
As mentioned previously do your homework on the security plugin(s) you decide to install, does it really bring anything else to the table that you are not getting from your current host? How does it alter the performance? Performance? yes, some of these plugins can really slow your site down as they are adding an extra layer of security and protection that on each page load requires the plugin to load and run its tasks before rendering the pages on your site. Take for instance WordFence, I stopped using this plugin a long time ago as it was really slowing down my site due to their WAF. I switched to iThemes Security and it provided me with a lot of the same features and my site did not end up taking a performance hit.
Everything that I mentioned above should provide you with a good starting point on how to secure your site, even on the most basic level. In the end, it really does start with finding a good host that is not just a host but can be a partner for you and your site. It is really best to find a host that will provide security out of the box and be there for your questions on how to take it to the next level.