I have tried compiling a list of stuff that, in my opinion, does not bring more security to your WordPress installation. https://eastwest.se/blog/wordpress-security-myths What do you think, am I wrong? Is there something important I have forgotten?
Hide or move wp-admin to prevent brute force attacks If you search on WordPress security, moving or hiding the wp-admin is one common tip, and there are many plugins that can do this for you. Bots and scanners are activity looking for WordPress-installations and attempting a brute password attack on /wp-admin
This is method is what's called "security by obscurity". Relying on this is not real security and cannot see as a good solution.
A big downside of this method is that many plugins depend on the exact location of /wp-admin. You are risking of breaking plugins.
Besides this, the most of the attacks are using vulnerabilities in XML-RPC, and hiding wp-admin are useless.
However, I highly recommend a password attempt plugin to prevent a brute-force attack.
Changing wp-prefix of all tables
Another common tip is to change the wp_ -prefix of the WordPress-tables. The theory is that this will make an SQL-injection harder. In reality, this does not matter; it is just a waste of time.
If an attacker can query against information_schema.tables, he or she will get all info about tables, whatever fancy prefix you put in front of the names, again "security by obscurity".
I have tried to compile an easy list for beginners of things you can do to make your WordPress installation more secure. There are many of these but the most of them I feel is too comprehensive and complicated. What do you think? Is there something important I have forgotten?
This blog post is not an attempt to make the most comprehensive checklist for making your WordPress installation more secure; there are many of these around the Internet. Instead, this is an easy list based on my experience working with WordPress installations. The aim is to make your installation more secure than your neighbour, without installing bloated plugins. ;-) Basics
Have a clean installation: don't leave phpMyAdmin installed (don't try just to hide it with leaving the version in the directory name like "phpMyAdmin-4.6.4-all-languages"). Also, no SQL-files laying around on the server.
If you don't use file editing, disable it. Add define('DISALLOW_FILE_EDIT', true); in your theme's functions.php.
Make sure directory listing is off, add Options All -Indexes to .htaccess if you are using Apache.
Depending on your hosting sometimes PHP error reporting can be on. Add this to your wp-config.php ini_set('log_errors','On');
ini_set('error_reporting', E_ALL );
Register a free account on UptimeRobot to check the site is up. Tip: Don’t just monitor the front-page of the site, try some page deeper in the hierarchy or setup a