Nothing can be totally secure, yet there are some simple steps you can take to reduce the risk, just like when you close your front door at home. The goal is to prevent bot visitors and attacks.
My current setup is:
A LEMP web server, using Cloudflare as a DNS and front-end server, all of which is running on the Raspberry Pi.
Starting from nginx settings:
https://codex.wordpress.org/Nginx
Going little deeper with nginx
https://bjornjohansen.no/block-access-to-php-files-with-nginx
Cloudflare useful settings:
https://www.cloudflare.com/integrations/wordpress/
Using from Cloudflare:
- SSL certificate plus a few tweaks to ensure that the user is genuine
- Firewall rules to protect /wp-admin route
- Page rules for additional protection of /wp-admin route
- Page rules to redirect users to canonical URLs
- Cache and “always online” rules
- Minification of JS and CSS
Installing additional security plugins on WordPress can add nice tweaks too. There are many to choose from, just have a look, read the reviews and watch for the number of installations
WordPress is a popular CMS, every so often security patches are released, don’t miss them, regular updates are necessary.
Do backups and store them somewhere else.
There are few free plugins that would allow you to do the backup of files and database and store them on your cloud storage.
To sum up:
- Do NGINX settings
- Cloudflare’s free plan https://www.cloudflare.com/plans/
- Use simple configs so you can read them later on
- Install some sort of security plugin
- Install WordPress updates on a regular bases
- Regularly backup data, just in case
Unless your website is of any interest to an intruder this should be enough to avoid major problems related to the security of WordPress.