Move wp-config.php up one directory If your host allows you to access non-public directories on your server above your WordPress directory, simply move the wp-config.php file up one directory. WordPress has built-in this feature so it won’t break your site when you do so. If for some reason it does, just move it back. This way it will be a lot harder for hackers to find and/or access your wp-config.php file, which is very important because your wp-config.php file contains your database credentials.

Make it so failed logins are ambigious By default failed login attempts to WordPress will tell you whether your username or your password is wrong. This gives hackers more helpful information than you want them to have. Add the following lines of PHP code to your WordPress theme’s functions.php file so it simply returns “Wrong username or password.” instead: function wrong_login() { return 'Wrong username or password.'; } add_filter('login_errors', 'wrong_login');

Make your admin username anything other than “admin” “admin” is the default admin username for WordPress and hackers take full advantage of this. So if you currently have an admin user with the username “admin”, simply delete or rename the username for this user. Avoid any obvious alternatives (e.g. “administrator”).

Disable the WordPress file editor If you don’t use the WordPress file editor, it’s a good idea to disable it. If you’d like to do so, simply add the following line of PHP code to your WordPress theme’s functions.php file: define('DISALLOW_FILE_EDIT', true);

Delete or rename readme.html The WordPress readme.html file also contains the WordPress version in it, so simply delete it or rename it.

Delete or rename install.php The install.php file located in the /wp-admin/ folder isn’t needed after you’ve done the initial WordPress installation. Hackers may be able to exploit this if you leave it as is, so simply delete or rename the install.php file.

Delete or rename upgrade.php The upgrade.php file is in the same situation as the install.php file, which is also located in the /wp-admin/ folder, so delete or rename the upgrade.php file as well.

Remove WordPress version from page meta data If you see the following when you look at your WordPress website’s source code: <meta name="generator" content="WordPress 4.4.1" /> You can remove this by adding the following lines of PHP code to your WordPress theme’s functions.php file: function remove_version() { return ''; } add_filter('the_generator', 'remove_version');

Delete user with ID “1” Having an admin user with ID “1” on your WordPress website can aid hackers in rare situations. If you want to be extra safe, simply create a new admin user and then delete the first user created on your WordPress website.

Disable the “Anyone can register” option If you don’t need anyone to be able to register, it’s best to make sure this option is disabled in the WordPress Dashboard under Settings > General.

Avoid using the default database prefix “wp_” This can be rather tedious to change after you’ve already installed your website, but just make sure to avoid it when you install new WordPress websites in the future. Using an alternative, custom prefix is best (e.g. “w0rd_”).

Ensure WordPress debug mode is disabled Not only does debug mode slow down your WordPress website, but it confuses visitors and provides potentially valuable information to potential hackers as well. In order to make sure debug mode is turned off, simply edit your wp-config.php file, look for the following line and make sure it’s set to false: define('WP_DEBUG', false); Do the same for WordPress JavaScript debug mode by ensuring the following line is set to false: define('SCRIPT_DEBUG', false);

Delete unused WordPress themes & plugins If you don’t use it, lose it. Leaving these files around simply provides for more opportunities for hackers.