Keeping WordPress Secure — Our 8-Layer Security Baseline

<h2>The 8 Layers</h2><ol><li><strong>Web Application Firewall</strong> — nginx layer blocks SQL injection, XSS, file upload exploits for WordPress core/plugins/themes</li><li><strong>Login Throttling</strong> — max 5 incorrect attempts per IP per minute → 1-hour block via fail2ban</li><li><strong>2FA Optional</strong> — Google Authenticator for admin role</li><li><strong>File Permissions</strong> — wp-config.php = 600, plugins directory = 755, no execution on uploads</li><li><strong>SSL Pinning + HSTS</strong> — for 12 months + preload</li><li><strong>Malicious Plugins</strong> — auto-detect (Wordfence DB) → ticket to admin</li><li><strong>Auto-Update Minor Versions</strong> — security patches within 24 hours</li><li><strong>Daily Corruption Scan</strong> — checksum comparison with WordPress.org canonical files</li></ol><h3>What We Do in Case of a Hack?</h3><p>Detection within 6 hours via cron monitoring → site offline within 30 minutes after confirmation → restore from last clean backup → hardening + ticket to customer. Free with every package.</p><h3>What You Need to Do?</h3><ul><li>Strong password for your admin account (16+ characters)</li><li>Enable 2FA</li><li>Avoid using "admin" as username (known bot target)</li><li>Avoid plugins from unknown developers</li></ul>