WordPress Security Hardening: Panduan Lengkap 2025

Daily Attacks: 90,000+ per minute globally
WordPress Share: 43.3% of all websites
Target Likelihood: High (popularity = target)

Common Attacks:
- Brute force: 41%
- Malware injection: 29%  
- SQL injection: 18%
- XSS attacks: 12%

Cost of Breach:
- Downtime: $5,600/minute average
- Reputation damage: Priceless
- SEO penalty: Months to recover
- Data loss: Potentially unrecoverable

Think like castle defense:

Layer 1: Server/Hosting (foundation)
Layer 2: WordPress Core (keep updated)
Layer 3: Plugins/Themes (vet carefully)
Layer 4: User Access (strong authentication)
Layer 5: Monitoring (detect threats)
Layer 6: Backups (disaster recovery)

Multiple layers = Multiple barriers
One fails → Others still protect

✅ Free SSL certificate
✅ Automatic backups
✅ Server-level firewall
✅ Malware scanning
✅ DDoS protection
✅ PHP 8.0+ support
✅ Isolated accounts (shared hosting)
✅ 24/7 monitoring

Security-Focused:
1. SiteGround - proactive security
2. Kinsta - managed WordPress security
3. WP Engine - enterprise-grade
4. Cloudways - server-level hardening

Budget-Friendly:
1. Bluehost - basic security included
2. Hostinger - affordable + secure

Without SSL:
http://yoursite.com
❌ Data transmitted in plain text
❌ Easy to intercept
❌ Google penalizes (SEO)
❌ Browsers show "Not Secure"
❌ Users don't trust

With SSL:
https://yoursite.com
✅ Encrypted data
✅ Protected dari interception
✅ SEO boost
✅ Trust signals (padlock)
✅ Required untuk forms/payments

Most Hosts (Free via Let's Encrypt):
1. cPanel → SSL/TLS Status
2. Run AutoSSL
3. Wait 5 minutes
4. Certificate installed!

Force HTTPS:
Settings → General
- WordPress Address: https://...
- Site Address: https://...

Or .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Current: PHP 8.2+ (fastest, most secure)
Minimum: PHP 7.4
Unsupported: PHP 7.3 dan below

Check: Site Health → Info → Server
Update: Contact hosting support

Correct Permissions:
Folders: 755 (rwxr-xr-x)
Files: 644 (rw-r--r--)
wp-config.php: 600 (rw-------)

Check via FTP/SSH:
find /path/to/wordpress -type d -exec chmod 755 {} \;
find /path/to/wordpress -type f -exec chmod 644 {} \;
chmod 600 wp-config.php

Each update fixes:
- Security vulnerabilities
- Bug patches
- Performance improvements

Outdated WordPress = Open door untuk hackers

Before Update:
1. Full backup (database + files)
2. Test on staging site (if available)
3. Check plugin compatibility

Update Process:
1. Dashboard → Updates
2. Backup Now (UpdraftPlus)
3. Update WordPress Core
4. Update Plugins
5. Update Themes
6. Test site functionality
7. Check front-end display

Frequency:
- Security updates: Immediately
- Major updates: Within 1 week
- Check: Weekly

Enable Auto-Updates:
Dashboard → Updates → Enable automatic updates
(For minor security releases)

Default Location:
/public_html/wp-config.php

Safer Location:
/home/username/wp-config.php
(One level above web root)

WordPress automatically finds it
Hackers can't access via browser

<?php
// ** SECURITY KEYS ** //
// Generate new: https://api.wordpress.org/secret-key/1.1/salt/

define('AUTH_KEY',         'put-unique-phrase-here');
define('SECURE_AUTH_KEY',  'put-unique-phrase-here');
define('LOGGED_IN_KEY',    'put-unique-phrase-here');
define('NONCE_KEY',        'put-unique-phrase-here');
define('AUTH_SALT',        'put-unique-phrase-here');
define('SECURE_AUTH_SALT', 'put-unique-phrase-here');
define('LOGGED_IN_SALT',   'put-unique-phrase-here');
define('NONCE_SALT',       'put-unique-phrase-here');

// ** DISABLE FILE EDITING ** //
define('DISALLOW_FILE_EDIT', true);
// Prevents editing files dari dashboard
// Stops hacker dari modifying code

// ** LIMIT LOGIN ATTEMPTS ** //
define('WP_LOGIN_ATTEMPTS', 3);

// ** FORCE SSL ADMIN ** //
define('FORCE_SSL_ADMIN', true);

// ** DISABLE XMLRPC ** //
// If not using mobile apps atau Jetpack:
add_filter('xmlrpc_enabled', '__return_false');

// ** AUTO DATABASE REPAIR ** //
// Only enable when needed:
// define('WP_ALLOW_REPAIR', true);
// Access: yoursite.com/wp-admin/maint/repair.php

Default: wp_
Hackers know this
SQL injection easier

Custom: xyz_randomString_
Hackers must guess
Extra security layer

WARNING: Backup first! Can break site!

Method 1: During Installation
Choose custom prefix when installing

Method 2: After Installation (Advanced)
Use plugin: "Change DB Prefix"
Or manual (risky - hire developer)

Showing version = telling hackers vulnerabilities
Specific attacks target specific versions
Hide = one less information exposed

// functions.php atau child theme

// Remove dari head
remove_action('wp_head', 'wp_generator');

// Remove dari RSS
add_filter('the_generator', '__return_empty_string');

// Remove dari scripts
function remove_version_scripts_styles($src) {
    if (strpos($src, 'ver=')) {
        $src = remove_query_arg('ver', $src);
    }
    return $src;
}
add_filter('style_loader_src', 'remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'remove_version_scripts_styles', 9999);

Minimum Standards:
✅ 12+ characters (16+ better)
✅ Uppercase AND lowercase
✅ Numbers
✅ Special characters (!@#$%^&*)
✅ No dictionary words
✅ No personal info
✅ Unique per site

Example Strong Password:
❌ password123
❌ John1985!
✅ K9$mP2@nX5#qR8!wL3

Use Password Manager:
- 1Password
- Lastpass
- Bitwarden (free)

Plugin: Force Strong Passwords
Settings:
- Require for admin
- Minimum strength
- Enforce on all users

Something you know: Password
+ Something you have: Phone/App
= Two factors required to login

Even if password stolen → hacker can't login

Plugin Options:
1. Wordfence 2FA (included dengan Wordfence)
2. Two Factor Authentication (free)
3. Google Authenticator (free)

Setup (Wordfence Example):
1. Install Wordfence
2. Your Profile → Two-Factor Authentication
3. Download authenticator app (Google/Authy)
4. Scan QR code
5. Enter code
6. Save backup codes (important!)
7. Enable 2FA

Next Login:
1. Enter username + password
2. Enter 6-digit code dari app
3. Access granted ✅

Unlimited login attempts = Brute force paradise
Bots try thousands of passwords
Eventually might guess correctly

Plugin: Limit Login Attempts Reloaded (FREE)

Settings:
- Max attempts: 3-5
- Lockout duration: 20 minutes
- Lockout increase: 24 hours (after 4 lockouts)
- Email notifications: Enable

Result:
Wrong password 3x → Locked 20 min
Wrong again later → Locked 24 hours
→ Brute force = impossible

yoursite.com/wp-admin
yoursite.com/wp-login.php

Everyone knows this
Bots target this

Plugin: WPS Hide Login (FREE)

Settings:
Change login URL to:
yoursite.com/my-secret-login-page

Result:
- /wp-admin → 404 error
- Custom URL → login page
- Bots can't find it
- Less attack surface

IMPORTANT: Remember new URL!
Bookmark it or save securely

Give minimum access needed

Roles:
Administrator: Full access (you only)
Editor: Publish/manage all posts
Author: Publish own posts
Contributor: Write but can't publish
Subscriber: Read only

Never give Administrator to:
- Guest authors
- Clients
- Contractors
Unless absolutely necessary

Settings → General
☐ Anyone can register
(Uncheck unless needed)

If need registration:
- Use email verification
- Enable reCAPTCHA
- Moderate new users
- Default role: Subscriber

Check:
✅ Last updated < 3 months
✅ Compatible dengan your WP version
✅ Good ratings (4+ stars)
✅ Many active installs (50K+)
✅ Developer responsive (support forum)
✅ Regular updates (check changelog)

Red Flags:
❌ Abandoned (1+ year no update)
❌ Poor ratings
❌ Few installs dengan many years
❌ No support responses
❌ Requests sensitive permissions

Weekly:
- Check untuk updates
- Update all plugins
- Test site after updates

Monthly:
- Review installed plugins
- Delete unused plugins (don't just deactivate)
- Check untuk security advisories

❌ Install nulled plugins (pirated)
   - Often contain malware
   - No updates
   - Illegal
   
❌ Keep inactive plugins installed
   - Still exploitable
   - Delete completely

❌ Install dari untrusted sources
   - WordPress.org only (free)
   - Official developer sites (premium)
   - ThemeForest/CodeCanyon (vetted)

Requirements:
✅ From WordPress.org atau reputable seller
✅ Regular updates
✅ Good reviews
✅ Active support
✅ Clean code (no eval(), base64_decode())
✅ Follows WordPress standards

Avoid:
❌ Nulled themes (pirated)
❌ Themes from sketchy sites
❌ Unmaintained themes
❌ Themes dengan suspicious code

Tools:
1. Theme Check Plugin
   - Scans untuk issues
   - Checks WordPress standards
   
2. Wordfence Scan
   - Detects malware
   - Unknown files
   - Modified core files

3. Sucuri SiteCheck
   - Online scanner
   - Free tool

1. Install & Activate
2. Click "Get Premium" atau "No Thanks" (free)
3. Enter email untuk alerts
4. Run initial scan

Configure:
1. Wordfence → Firewall
   - Learning Mode (1 week)
   - Then → Enabled & Protecting
   
2. Scan Settings:
   - Schedule: Daily
   - Low resource scans (shared hosting)
   
3. Login Security:
   - Enable 2FA
   - CAPTCHA on login
   - Block compromised passwords

4. Tools:
   - Live Traffic (monitor attacks)
   - Blocking (country blocks if needed)

✅ Firewall (blocks malicious requests)
✅ Malware scanner (daily)
✅ Login security (2FA, brute force protection)
✅ Real-time IP blacklist
✅ Country blocking
✅ Rate limiting
✅ Security notifications
✅ Live traffic monitoring

1. Install Sucuri Security
2. Generate API key
3. Enable hardening:
   - Update security keys
   - Disable file editor
   - Block PHP dalam uploads
   - Remove WP version
4. Enable monitoring
5. Schedule scans

Remote access protocol
Used by: Mobile apps, Jetpack
Also used by: DDoS attackers, brute force bots

If not using mobile apps → DISABLE

Method 1: Plugin
- Disable XML-RPC-API (free)

Method 2: .htaccess
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Method 3: functions.php
add_filter('xmlrpc_enabled', '__return_false');

# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# Protect .htaccess
<files .htaccess>
order allow,deny
deny from all
</files>

Without protection:
yoursite.com/wp-content/uploads/
Shows all files dan folders
Attacker can browse your files!

# Disable directory browsing
Options -Indexes

# Or show blank page:
Options All -Indexes

Attackers upload malicious PHP
Execute it via browser
= Full control of your site

<Files *.php>
deny from all
</Files>

- After security breach
- Suspicion of compromise
- Every 6-12 months (preventive)

1. Generate new keys:
   https://api.wordpress.org/secret-key/1.1/salt/

2. Replace dalam wp-config.php:
   Find AUTH_KEY section
   Replace with new keys
   
3. Save file

Result:
- All users logged out
- Must login again dengan valid credentials
- Old cookies/sessions invalid

Plugin: WP Activity Log (FREE)

Tracks:
- User logins/logouts
- Post/page changes
- Plugin installs/updates
- Theme changes
- Settings modifications
- File changes
- Failed login attempts

Benefits:
- Audit trail
- Detect unauthorized access
- Troubleshoot issues
- Compliance (GDPR, etc.)

Free Tools:
1. UptimeRobot
   - 50 monitors free
   - 5-minute checks
   - Email/SMS alerts

2. Pingdom (Free plan)
   - Basic monitoring
   - Email alerts

3. StatusCake
   - Unlimited free monitors
   - Various check intervals

Setup:
1. Sign up (free)
2. Add your website URL
3. Enter email untuk alerts
4. Get notified jika site down

Automated:
- Wordfence (daily auto-scan)
- Sucuri (if premium)

Manual (Weekly):
- Google Safe Browsing Check
- Sucuri SiteCheck (free online)
- VirusTotal (upload files)

After Scan:
- Review findings
- Quarantine suspicious files
- Research false positives
- Clean infected files

.htaccess additions:

<IfModule mod_headers.c>
# X-Frame-Options (clickjacking protection)
Header always set X-Frame-Options "SAMEORIGIN"

# X-Content-Type-Options (MIME sniffing protection)
Header always set X-Content-Type-Options "nosniff"

# X-XSS-Protection (XSS filter)
Header always set X-XSS-Protection "1; mode=block"

# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Content Security Policy (advanced)
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'"
</IfModule>

Backup Schedule:
- Database: Daily (small, changes often)
- Files: Weekly (larger, changes less)
- Retain: 4-8 backups
- Store: Off-site (cloud)

Tools:
- UpdraftPlus (recommended)
- BackWPup (free alternative)
- VaultPress (Jetpack)

Test Restores:
- Monthly test restore
- Verify backup integrity
- Ensure recovery works

1. Take site offline (maintenance mode)
2. Change ALL passwords:
   - WordPress admin
   - FTP/cPanel
   - Database
   - Hosting account
3. Contact hosting support
4. Run full scan (Wordfence/Sucuri)
5. Review activity logs
6. Restore dari clean backup (if available)
7. Update everything (WP, plugins, themes)
8. Check untuk backdoors
9. Submit to Google Safe Browsing (if blacklisted)
10. Monitor closely (next weeks)

- Site repeatedly hacked
- Can't identify malware
- Blacklisted by Google
- Database compromised
- Critical business site

Services:
- Sucuri Incident Response ($$$)
- WP Fix It (emergency service)
- Freelance security experts (Upwork)

Implement NOW:
1. Install Wordfence (5 minutes)
2. Enable 2FA (5 minutes)
3. Set strong passwords (5 minutes)
4. Install UpdraftPlus (5 minutes)
5. Update everything (10 minutes)

Total: 30 minutes untuk basic protection!

Then:
- Weekly: Check updates
- Monthly: Review security
- Quarterly: Test backups
- Yearly: Full security audit