As a WordPress blog owner or provider, you want to ensure that your site is as secure as possible. An insecure site can mean downtime, defacement, and (worst of all) lost users. We present here a short list of steps you can take to lock down your site.

1. First, your WordPress site will never be more secure than the server on which WordPress is running. If the server is not secure, then the following advice may do nothing to actually enhance security. See the How-To guides on Securing Linux and Windows for more details.
2. Keep your WordPress software up-to-date. When security holes in WordPress and WordPress modules are found, they will be addressed and new versions released. By using the most recent software versions, you will ensure that your platform is not exposed to known hacks.
3. The default user account that is created with every installation of WordPress is the admin account. Unfortunately everyone, including hackers, know this and can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username. You can do this during installation, or by manually changing the user_login value in the wp_users database table.
4. Always use strong passwords for the WordPress administrative and database accounts.
5. Enable SSL on your web server, and then force all logins to be done over SSL. This will encrypt passwords during transmission. You can generate your own or purchase a commercial SSL certificate. Add this line to wp-config.php (before the require of wp-settings.php): define(‘FORCE_SSL_ADMIN’, true);
6. Protect your wp-config file. It should not be accessible from a web browser. Enter these lines into a .htaccess file in the same directory as wp-config.php:
   
<Files wp-config.php>
   Order Allow,Deny
   Deny from all
</Files>


   Then, set the permissions for both .htaccess and wp-config.php to 640.

   > chmod 640 .htaccess
   > chmod 640 wp-config.php

7. Generate unique authentication keys for wp-config.php. The keys provided by WordPress in your configuration file work fine, but your site will be more secure to attacks if you generate your own random keys (the important word being “random”). Visit https://api.wordpress.org/secret-key/1.1/salt/ and copy the 8 generated lines into wp-config.php, overwriting the 4 lines that define AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY.
8. Change the default WordPress database table prefix. This is to secure your installation against hacks, such as SQL injection attacks. Set $table_prefix in wp-config.php. Make sure to add an underscore at the end of the prefix. If you have already installed WordPress, the WP Security Scan plugin can be used to change the database table prefix.