Enabling a bare minimum of WordPress Security

Running a CMS on any website can be cumbersome, constantly checking for updates, manually updating and securing the configuration, if it’s not secure-by-default. A big help is the auto-updating feature of WordPress and the plugins helping administering this. Also the security plugins, minimizing bot attacks and evil doers is also comforting and needed in a hostile environment, such as the internet.

Disabling comments and creation of users is recommended, if not needed. Exploits has been seen that elevates privileges.

So my recommendation is to follow these steps as a bare minimum:

Plugins to install and configure:

404 To Homepage

Disable XML-RPC

Easy Updates Manager


Force Strong Hashing

Limit Login attempts Reloaded

Meta Generator and Version Info Remover

Wordfence Security

WP Statistics

UpdraftPlus(if you need backup, due to your host providers lack thereof)

Use WPScan and Nikto2 from a kali VM, regularly, to test your website for vulnerabilites, misconfiguration, etc. Follow the recommendations and secure your website as much as you feel adequate. removing obvious readme files, using .htaccess, etc.