This morning I discovered my site had over 100 SQL injection attack attempts overnight. Thankfully nothing got through, but it really got me thinking about strengthening my security setup.
I know rate limiting should be a priority, but what other security steps do you recommend that won’t hurt regular visitors?
Currently I have these protections in place:
Cloudflare with standard settings plus some custom firewall rules
Changed my admin login URL from the default
All form data gets properly sanitized before processing
Server hardening at the hosting level makes a huge difference. I switched to a managed WordPress host that puts each site in its own container - this stopped cross-contamination when another client’s site got infected on my old shared host. Also throw in proper HTTP security headers like CSP and HSTS through your .htaccess file. They won’t block attacks directly but make exploitation way harder. What really surprised me was how well limiting login attempts worked once I set it to lock out IPs after just three failed tries. Bot traffic dropped dramatically within a week. If you’re handling sensitive data, set up SSL certificate monitoring since expired or compromised certificates create security gaps you might miss.
Database backups saved my ass when my site got compromised last year. You can have all the security you want, but recent offsite backups will save you hours if something gets through. I run automated backups every 12 hours on a separate server. File integrity monitoring is huge too. I’ve got a plugin that alerts me when WordPress core files change unexpectedly - it caught a backdoor attempt six months ago that my other security tools missed. Got the notification within minutes. Don’t forget your hosting provider’s server-level protection either. Some hosts throw in WAF protection and malware scanning that works with your existing setup instead of replacing it.
a crucial step is keeping everything updated religiously. outdated plugins are like leaving your front door open - it’s how most sites get pwned. also, disable xml-rpc if you don’t need it. that endpoint gets hammered by bots with brute force attacks.