1) Keep Everything Updated

• ✅WordPress core: Update immediately when new versions release (usually monthly).
• ✅Plugins & themes: Disable auto-updates only for premium plugins. Delete unused plugins.
• ✅Server software: Ask your host (Bluehost, SiteGround) to keep PHP/MySQL current.

2) Enforce Strong Passwords & Two-Factor Authentication

• ✅Admin password: 16+ characters, mix of uppercase, numbers, symbols.
• ✅Two-factor auth (2FA): Require password + phone code to log in. Use free plugin like Wordfence or Two Factor Authentication by Google.
• ✅Remove default “admin” username: Use unique usernames.

3) Daily Automated Backups

• ✅Daily backups: Most hosts (Bluehost, SiteGround) include automated backups. Verify they’re enabled.
• ✅Off-site backup: Download copy to your computer weekly or use UpdraftPlus (free version stores to Google Drive).
• ✅Test restore: Once per quarter, test restoring a backup to ensure it works.

4) Web Application Firewall (WAF)

• ✅Cloudflare (free tier): Blocks malicious traffic, DDoS protection, adds SSL.
• ✅Wordfence (free version): Monitor login attempts, block suspicious IPs.
• ✅Limit login attempts: After 5 failed attempts, lock out for 15 minutes.

5) HTTPS / SSL Certificate

• ✅SSL cert: Free via Let’s Encrypt (most hosts provide). Should show green lock in browser.
• ✅Redirect HTTP to HTTPS: Force all traffic through encrypted connection.

6) Monitor for Hacks

• ✅Wordfence alerts: Get notified of failed logins, plugin vulnerabilities, file changes.
• ✅Google Search Console: Monitor for malware warnings.
• ✅Regular scans: Run free Wordfence malware scan weekly.

7) User Roles & Permissions

• ✅Limit admin access: Only you should be admin. Others get Editor or Author roles.
• ✅Audit user activity: See who logged in, what they edited.

Professional Security Audits

ALMA WebPro performs WordPress security audits, implements hardening, and sets up monitoring—so you sleep at night.

Book Security Audit