How to make sure your site is secure
It is also a good idea to keep the PHP version of your website up to date. However, before updating, you should make sure that the plugins and theme used on your site support the newer PHP version.
Make sure that you do not have any plugins on your site that are no longer in active use, or that may have been abandoned as obsolete, even by their own developers. By cleaning up your WordPress plugins, you will have less code on your site for an attacker to find vulnerabilities and break into your site.
Seravo Plugin
As we specialise specifically in maintaining WordPress websites, the Seravo Plugin, which can be found in all our service packages, comes with a number of security features in itself.
In addition to the automatic features, it is possible to add even more sophisticated protection methods, but these often require a little tweaking of the settings. For this reason, not all features are automatically enabled right away, as they could also prevent access to the site in the event of an error. The settings of the Seravo Plugin can be edited by first logging into the WP admin of the site, and then from the Tools > Security menu. Seravo Plugin can also be used to remove junk files, unnecessary plugins or themes, and to check recent logins to the site.
More detailed instructions on the security features of Seravo Plugin can be found here.
HSTS
HSTS (which stands for HTTP Strict Transport Security) header information tells the user's browser that an unsecured connection to the site should never be established. This can be used to prevent DNS hijacking, for example. By default, Seravo's servers have a simple HSTS configuration, but it can be tightened up if necessary.
More information on how to use HSTS can be found here.
CSP
CSP (Content Security Policy) is a security standard and technique by which a website uses HTTP headers to tell the visitor's web browser which resources are allowed on that website. The aim of CSP is to limit the inclusion of foreign code and other components on the site, thus preventing attacks such as Cross Site Scripting and Clickjacking. Information about the allowed resources is passed as an HTTP header from the server to the browser. It can be used to specify allowed sources for scripts, style sheets, embedded fonts, frames and other content types.
Read more about CSP and its implementation here.
2FA
Two-factor authentication (2FA or MFA) is a method whereby an additional authentication is used in addition to the username and password at login. This can be done, for example, by SMS, or by a separate TOTP (time-based one-time password) application, such as Google Authenticator. Two-factor authentication is strongly recommended for all users, as it significantly improves security.
More information on the implementation of 2FA can be found here.
Password managers and passwod hygiene
Use different passwords for different systems in case of a data breach. All accounts of a careless user can be hijacked at once if the same password is used everywhere. A good password is also complex, difficult to guess and contains special characters. If you suspect that your password has been leaked in a data breach, change your password as soon as possible.
Never share your password with anyone. Site administrators will always have their own login to carry out the necessary maintenance.
It is therefore very important to always use strong passwords and keep them safe. For password management, we recommend using a separate password manager (e.g. KeePass: https://keepass.info/). With the manager, all passwords are stored in one place and are easily accessible from different devices.
Sources:
https://help.seravo.com/article/284-seravo-plugin-security
https://seravo.com/en/computer-security-day/
https://seravo.com/en/improve-security-of-your-wordpress-site/