Title: Security Setup Last modified: May 20, 2026 --- # Security Setup * [lostalien666](https://wordpress.org/support/users/lostalien666/) * (@lostalien666) * [2 weeks, 6 days ago](https://wordpress.org/support/topic/security-setup-2/) * Hi, I hope I’ve posted in the correct place. If not, I apologize. * I am an Old timer programmer here.   We’re talking Cobol and C from the mid 80s until the late 90s.  I do have a grasp of front-end languages.  And PHP seemed natural to me when I started playing with it last year.   * My buddy just handed me a contract to build and maintain a subscription site. It will deliver a curriculum(LMS) for those interested in becoming proficient IELTS instructors. * WP is well documented and supported.  Therefore, I felt it was a good choice for delivering products online. * At this moment, I am seeking advice on WP security. * Setup: Dev:  Windows 11, Wamp,  Apache. 2.4.65, PHP 8.23.28, MYSQL 8.4.7 , MariaDB 11.4.9 * Live: We have a managed WP package with IONOS. Haven’t the info in front of me at this moment. * I’ve read that the following steps are good ways to increase stability.  I would like to know what others believe, and would gladly accept any advice. * Sorry, it is a long list. 1. Choose a good host 2. Change Database prefix (wp_prefix to something like ourdb_prefix 3. Move admin profile 4. Disable pingbacks 5. .htaccess file usage (I am new to this) 6. File permissions 7. Disable file editing 8. Use Cloudfare (nice product) 9. Backups regularly (Of course) 10. Activate and force HTTPS(I think our host does this already) 11. Disable session suggestions 12. Change Admin URL 13. Limit login attempts 14. USE firewalls (Again I think our host has this feature. 15. White list my own IP for Admin usages within WP 16. 2FA (Great) 17. Secure Headers 18. Disable atom/rss feeds 19. Prevent XML-RPC attacks 20. Delete readme.html 21. Hide php warnings and notifications 22. Hide apache, php and wp versions 23. Updates , backups and scans 24. Use Captcha * Okay, so I think that is quite a bit of setup work.  But some questions. 1.  Is all this really necessary? 2. What have I missed? 3. Will this create performance problems? * Again, I want to thank everyone for supporting each other.  - Alien Viewing 8 replies - 1 through 8 (of 8 total) * [Patrick – WPMU DEV Support](https://wordpress.org/support/users/wpmudevsupport12/) * (@wpmudevsupport12) * [2 weeks, 6 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18913112) * Hi [@lostalien666](https://wordpress.org/support/users/lostalien666/) * WordPress is one of the most popular CMS so it is expected to see some attempts therefore, security is always a good idea. * Choose a good host – Always good Change Database prefix (wp_prefix to something like ourdb_prefix – Usually, managed hosting will already create the WordPress using custom prefix, Move admin profile – Not sure what is meant here, but ideally you can stop user enumeration attacks by hidding the profiles eg. /author/1 Disable pingbacks – That will depend if you would like or not [https://wordpress.org/documentation/article/trackbacks-and-pingbacks/](https://wordpress.org/documentation/article/trackbacks-and-pingbacks/). htaccess file usage (I am new to this) – htaccess will be relevant if you use Apache server, otherwise Nginx config will handle it File permissions – Use WordPress recommended file permission [https://developer.wordpress.org/advanced-administration/server/file-permissions/](https://developer.wordpress.org/advanced-administration/server/file-permissions/) Disable file editing – That’a a good idea Use Cloudfare (nice product) – that’s a good idea Backups regularly (Of course) – Must step Activate and force HTTPS( I think our host does this already) – Must step Disable session suggestions – Will not make a lot of difference but you can use a plugin to reduce your session time, example if 1h of inactivity, expire the session Change Admin URL – you can mask the wp-login.php but modifying the wp-admin won’t bring a lot of security enhancement Limit login attempts – That’s a good idea USE firewalls (Again I think our host has this feature. – That’s a good idea White list my own IP for Admin usages within WP – Not really necessary 2FA (Great) – That’s a good idea Secure Headers – That’s a good idea Disable atom/rss feeds – Depends if you are are or not using it Prevent XML-RPC attacks – Depends if you are are or not using it Delete readme.html – Not really necessary Hide php warnings and notifications– Good idea Hide apache, php and wp versions – It is a good idea to avoid the zero day attack but mostly, keep things updated Updates , backups and scans – Great idea Use Captcha – Good idea if you have comments section * WordPress has some documentation about security [https://wordpress.org/about/security/](https://wordpress.org/about/security/) or [https://developer.wordpress.org/advanced-administration/security/hardening/](https://developer.wordpress.org/advanced-administration/security/hardening/) this will be the best start point * Best Regards Patrick Freitas * Thread Starter [lostalien666](https://wordpress.org/support/users/lostalien666/) * (@lostalien666) * [2 weeks, 5 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18914238) * Hi Patrick * Thanks for your time and given some feedback on these items. * Tech has changed so much since the 90s that I was spinning my head on options. I will be following up on these now as I finally got a day off from work. * I’ll also read those links now. * More to come. * Thread Starter [lostalien666](https://wordpress.org/support/users/lostalien666/) * (@lostalien666) * [2 weeks, 5 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18914385) * Have completed 90% of that. Still want to study somethings about .htaccess as there are several mods to be made. * How could someone test all these? * [Nithin – WPMU DEV Support](https://wordpress.org/support/users/wpmudevsupport11/) * (@wpmudevsupport11) * [2 weeks, 4 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18915966) * Hi [@lostalien666](https://wordpress.org/support/users/lostalien666/), * Testing would require manual workflow, but you could use these for some of these aspects: * Security Headers: [https://securityheaders.com](https://securityheaders.com) * SSL: [https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/) * [https://wpscan.com/](https://wpscan.com/) and Sucuri online SiteCheck etc * Testing out the .htaccess rules would require manual checks, e.g., creating a PHP file and checking whether you could access it directly based on the added rules. * Regards, * Nithin * Thread Starter [lostalien666](https://wordpress.org/support/users/lostalien666/) * (@lostalien666) * [2 weeks, 3 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18916515) * Good morning. * Hey that sounds great! Just waking up here and looking at an nba game over coffee. * Your advice is greatly appreciated. I will have a look at those today. * Back in my early days, we didn’t have to worry about so much as today. Things really changed a lot. Many things are already made to do much work which was all done by hand, back in the day. * But certainly will not skimp on testing. * I’ll have a go at those and report back. * Thanks * [Patrick – WPMU DEV Support](https://wordpress.org/support/users/wpmudevsupport12/) * (@wpmudevsupport12) * [2 weeks, 3 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18916540) * Hi [@lostalien666](https://wordpress.org/support/users/lostalien666/) * > Back in my early days, we didn’t have to worry about so much as today. Things > really changed a lot. Many things are already made to do much work which was > all done by hand, back in the day. * With AI now we see more attack vectors so security is even more important than ever indeed. * Best Regards Patrick Freitas * Thread Starter [lostalien666](https://wordpress.org/support/users/lostalien666/) * (@lostalien666) * [2 weeks, 3 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18916599) * I suppose I just opened a can of worms for myself? lol * Thread Starter [lostalien666](https://wordpress.org/support/users/lostalien666/) * (@lostalien666) * [1 week, 3 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18923566) * Ok I am back finally. * FIrst of all thanks for the advice on this list. * I’ve completed 95% of them and had issues setting up sftp/ssh on ionos to get access to wp_config.php and .htaccess * so i couldn’t get the following done. Advice please 1. Hiding apache/php versions 2. hiding php warning and notifications * Just these two i wasn’t able to , as of now, setup. * Thank the old gods and the new for a system like Cloudfare. That’s some powerful safety gear. I couldn’t even imagine doing this by hand in the ‘old days.’ * for ending this task I’d like to ask another short round of questions. * those 2 steps mentioned above. Are they critical? * If so, i will move on to figure out why my sftp isn’t granting me the access i setup on the host. * suggestions? * thanks again * D Viewing 8 replies - 1 through 8 (of 8 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsecurity-setup-2%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. ## Tags * [Setup](https://wordpress.org/support/topic-tag/setup/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 8 replies * 3 participants * Last reply from: [lostalien666](https://wordpress.org/support/users/lostalien666/) * Last activity: [1 week, 3 days ago](https://wordpress.org/support/topic/security-setup-2/#post-18923566) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics