WordPress Security Hardening

WordPress Security Hardening on GoSiteMe

WordPress powers millions of websites, making it a frequent target for attackers. GoSiteMe provides several built-in protections, but following additional hardening steps significantly reduces your risk. This guide covers essential and advanced security measures.

Essential Security Steps

1. Keep everything updated: WordPress core, plugins, and themes should always run the latest versions. Enable auto-updates under Dashboard → Updates or let Alfred manage updates for you.
2. Use strong passwords: Every WordPress user account should have a unique, complex password (12+ characters, mixed case, numbers, symbols).
3. Enable 2FA: Install a two-factor authentication plugin for all admin and editor accounts.
4. Change the admin username: Avoid using "admin" as your login name. Create a new administrator account, then delete the default one.
5. Limit login attempts: GoSiteMe's firewall automatically rate-limits login attempts, but you can also install a plugin for additional control.

Advanced Hardening

• Disable file editing: Add define('DISALLOW_FILE_EDIT', true); to wp-config.php to prevent code editing from the WordPress dashboard.
• Move wp-config.php: GoSiteMe supports placing wp-config.php one directory above the web root for added security.
• Disable XML-RPC: If you don't use the WordPress mobile app or remote publishing, disable XML-RPC to close a common attack vector.
• Set correct file permissions: Directories should be 755, files should be 644, and wp-config.php should be 440 or 400.
• Add security headers: GoSiteMe's dashboard lets you add HTTP security headers (CSP, X-Frame-Options, HSTS) under Hosting → Security → Headers.

GoSiteMe Built-In Protections

Your WordPress site on GoSiteMe benefits from:

• Web Application Firewall (WAF): Blocks SQL injection, XSS, and other OWASP Top 10 attacks.
• Malware scanning: Daily scans with automatic notifications if threats are detected.
• DDoS protection: Always-on traffic filtering at the network edge.
• Free SSL: HTTPS encryption for all traffic.

Security Monitoring

Review the Security → Activity Log in your dashboard to monitor login attempts, file changes, plugin installations, and other administrative actions. Set up email alerts for suspicious activity.

Recovery

If your site is compromised, GoSiteMe's daily backups let you restore to a clean state quickly. Contact our Security Response Team via Support → Security Incident for immediate assistance with malware removal.