To improve your site security on your live site, please do the following:
Set all your plugins to auto-update.
If vulnerabilities are discovered, it is important that you get updates before any potential hacking attempt.
Set your themes to auto-update.
Delete all unused themes, but keep one “official one” like twenty twenty-two, as a fallback.
Deactivate and delete any plugins that are not continuously needed. This would include:
– Duplicator: if you need to make a package, install it again.
– All-In-One WP Migration: if you need to use the plugin, install it again
– Show Current Template: that’s for development, so it should not be on a live site.
The idea here is to only keep plugins that are in continuous use. You can also reinstall plugins that are needed only occasionally.
If another plugin is not essential, delete it.
This includes things like File Manager plugins.
Before installing plugins, consider googling their names with the work “hack” to see if there has been any vulnerabilities discovered.
Turn Commenting off on Your Site
In Settings > Discussion, turn off the first three buttons (one of which is to turn off commenting on all new posts). Then bulk edit your posts to turn off commenting on them.
Check that Registration is turned off on the site (it should be, but check anyway)
That is in Settings > General.
Make sure that you are not posting out of the admin account
Make an author or editor account and post out of it. Assign to that account any content that was previously made by an admin.
In your theme, ESCAPE as much content output from the database as possible.
How to do this is explained in the WP Security Loom series.
If on AWS, manage your Lightsail instance with an IAMS account, not the root account.
Make sure that your development password is not used on the live site.
If you used All-In-One WP Migration to move the site, remember that it replaces the live site with the development one, so change the password beforehand (or immediately after).
Make sure that WP_Debug is set to FALSE (in wp-config.php) before transferring the site.
Virus scan your own computers, too.