Users logging into a WordPress site may sometimes wander off-screen or into a brand new tab, forgetting that they are still logged in. Active sessions can easily be hijacked when malicious scripts are executed on a user's computer, resulting in password changes, data theft, and possibly other changes to WP accounts.
This is the main reason why banking and freelance websites close user tabs or automatically log users out after a short period of inactivity. You can use the Idle User Logout plugin to automatically log out users on your WordPress site.
Image source: Idle User Logout
In the plugin you can set the duration allowed for idle users to leave the dashboard and automatically redirect logged out users to the login page.
15. Add login security questions
Want to make it harder for someone to log into your WP site? You can add security questions like those used by financial institutions, membership sites or email platforms when someone from an unauthorized IP address tries to log in.
Essentially, a security question is like an additional password for your page. A perfect security question is something only you can know. Even better, the Latest Mailing Database answer should not be related to the question. For example, "Bon Jovi" responds to "Your favorite car brand?". This extra layer increases your security, however, be sure to remember your answer.
16. Run WordPress on the latest PHP version
When it comes to cybersecurity, it's a no-brainer. Only 3.6% of WP pages run on the latest version of PHP (7.2). In fact, almost 12% of WordPress sites are still running on version 5.4, which is no longer supported!
If you are not using the latest PHP version, it means that some security holes have been found and fixed with the new version, but your site will not be able to use them. Therefore, your page will remain a target for hackers.
While updating themes and plugins is pretty straightforward, in most cases, updating PHP is up to your hosting provider. A reliable and quality hosting service must enable a feature in cPanel called PHP Version Switcher to access the latest PHP installation or give you another seamless way to switch to a new PHP version.
Note that some older plugins or themes may not be fully compatible with newer versions of PHP, so be sure to test your site before making such changes.
17. Two-Factor Authentication
When logging into WP, it is possible to allow a time-based token that needs to be entered from the user in addition to the regular password. Since this token expires after one minute, even a hacker or someone who knows your password cannot log in without entering the required token. You can use many plugins to achieve this, for example:
send a text message
18. Adjust file permissions
Most WordPress sites are hosted on a Linux server that employs a permission system that applies to all folders and files. These permissions are represented by a three-digit number. Each of these numbers has its own meaning. The first digit always refers to the operating system user and is considered the owner of the file/folder, the second digit represents the user, the member of the group (assigned to the file or folder), and the third represents on that server of everyone else.
0 – The file cannot be accessed.1 – file execution only.2 – Allow editing.3 – Allow editing and execution.4 – The file can be read.5 – Allow read and execute.6 – Read and edit.7 – Read, edit and execute files.
If the web server doesn't have sufficient permissions, it won't work with your website, but at the same time, the permissions should be strict enough to restrict other users on the server from accessing your files and folders. As a rule of thumb, permissions should be set to 644 for files, 755 for folders, and 400 for the wp-config.php file. To learn how to change file permissions, read this guide from WP Beginne