User

WordPress Best Practices

Security and maintenance checklist for WordPress sites hosted on Opterius.

Last updated 1775606400

Follow these practices on every WordPress site you host. Most take under five minutes to apply and prevent the majority of compromises seen on shared hosting.

Keep Everything Updated

  • Update WordPress core as soon as a new release is available. Security releases are tagged explicitly — treat them as urgent.
  • Update all active plugins and themes on a regular cadence. Vulnerable plugins are the leading cause of WordPress site compromises.
  • Use the panel's WordPress Scanner to identify outdated or vulnerable software.
  • Delete plugins and themes you are not using. Inactive plugins that remain installed are still exploitable if they contain vulnerabilities.

Admin Account Security

  • Do not use admin as the admin username. It is the first username attackers try. If your current admin is named admin, create a new administrator account with a different username, log in with it, and delete the old admin account.
  • Use a strong, unique password for the WP admin account. 20+ characters, mixed case, numbers, symbols.
  • Enable two-factor authentication for all administrator accounts. Use a plugin such as WP 2FA or enable it through a security plugin like Wordfence or Solid Security.
  • Limit the number of accounts with the Administrator role to those who actually need it.

Install a Security Plugin

Install one of the following on every site:

  • Wordfence Security — firewall, malware scanner, login protection, real-time threat intelligence.
  • Solid Security (formerly iThemes Security) — brute-force protection, file change detection, two-factor auth.

[!NOTE] Do not install both simultaneously — they conflict. Pick one and configure it fully.

Backups

Take regular backups before any update and on a recurring schedule. See Creating a Backup.

Store at least one backup copy off the server (remote storage, local download). A backup on the same server does not protect against server-level failures.

File Permissions

The agent sets correct permissions on install. If you have manually transferred files or something has reset permissions, correct them:

# Set correct permissions for a WP install
find /home/username/domain.com/public_html/ -type d -exec chmod 755 {} \;
find /home/username/domain.com/public_html/ -type f -exec chmod 644 {} \;

[!WARNING] Do not set files or directories to 777. It is never necessary for WordPress to function and opens the install to write-based exploits.

wp-config.php can be set more restrictively:

chmod 600 /home/username/domain.com/public_html/wp-config.php

Themes

  • Use a child theme for any customizations to a third-party theme. Edits made directly to a parent theme are wiped out on the next theme update.
  • Delete themes you are not using, including the default Twenty* themes if they are not active.
  • Only install themes from wordpress.org, a reputable marketplace, or your own development. Do not install nulled or cracked themes — they routinely contain backdoors.

Plugins

  • Only install plugins from wordpress.org or directly from the developer. Do not use nulled or cracked plugins under any circumstances.
  • Before installing a plugin, check its last updated date and active install count. A plugin not updated in two or more years is a liability.
  • Audit your active plugin list periodically. Remove anything that duplicates functionality or is no longer needed.

Login Page

  • The default WP login at /wp-login.php is brute-forced continuously. A security plugin can add IP-based rate limiting or move the login URL.
  • Consider restricting /wp-admin/ and /wp-login.php to specific IP addresses at the Nginx level if your admin IPs are static.

HTTPS

Ensure the site is served over HTTPS. An unencrypted login page sends admin credentials in plain text. See the SSL docs for enabling Let's Encrypt on your domain.

Previous
← Updating WordPress
Next
Installing Laravel →