Upload the wordpress files and folders in directory with some other name hard to predict like cpweb or here or anything else. A trick can be done to hide this directory, to make it appear as it is installed in home directory. Go to Settings-> General and delete the sub-directory name from the field site address(URL). Site address is the perceived address and WordPress address(URL) is the physical address. Copy the .htaccess and index file on the root of the domain, edit them and change the last line showing:
require(./wp-blog-header.php)
require(.//wp-blog-header.php)
Change the table prefix while creating the configuration file, as it makes tougher for hackers.
Put unique phrases in the salts of wp-config.php file. It can be generated using wordpress
Don’t use admin as user name, while setting up your site, as admin is the default user, so every hacker might like to attack this user. So choose other name apart from admin.
It is very important to secure wp-config.php file and wp-content directory, rest of the files you can delete and upload them again. All the uploaded files are stored in the wp-content folder and database connectivity is saved in wp-config.php file.
Use a WordPress firewall
Enforce strong WordPress password policies
Install a file integrity monitoring plugin
Keep a log of all changes that happen on WrdPress
Keep WordPress core, all the plugins, themes and software you use up to date
Use SSL Certificate (Https)
- Encrypts the traffic between the web server and the web browser
- Certificate Authority (CA): It contains cryptographic proof that an entity trusted by a browser can vouch for that website's identity. It's in-built security features to make it challenging to spoof.
- Three different types of certificates can be obtained: Domain Validation (DV), Organization Validation (OV), Extended Validation (EV)
- Let's Encrypt a non-profit certificate authority run by Internet Security Research Group (ISRG) provides HTTPS certificates for no charge to everyone. It's the largest CA on the Internet. The certificate is valid for 90 days, but it uses ACME protocol which allows automatic certificate renewal.