"We installed Wordfence, we are safe." Unfortunately, this is the most common myth in agency WordPress development. While plugins help, true security happens at the server and process level.
1. Server-Level Hardening
Security starts before WordPress even loads.
- File Permissions: Ensuring all directories are 755 and files are 644. No 777 ever.
- PHP Version: Running the latest supported PHP (currently 8.3/8.4) ensures patch coverage.
- Disable Directory Browsing: Prevents bots from seeing your `/uploads` folders contents.
2. Application Level (WordPress)
Beyond plugins, we need to reduce the attack surface.
- Disable XML-RPC: Unless you use the mobile app or Jetpack, this ancient API is just a brute-force door. I disable it via code.
- Limit Login Attempts: Essential to stop brute force attacks on `wp-login.php`.
- Change Admin Username: Never use `admin`. It's the first username bots guess.
3. The Human Factor (Agency Workflow)
The biggest vulnerability is usually a weak password on a neglected account.
- No Shared Logins: Every developer, project manager, and client has their own account. If someone leaves, we shut down their account, not the "Agency Admin" one.
- 2FA (Two-Factor Authentication): Mandatory for Administrator roles. No exceptions.
- Principle of Least Privilege: Does the SEO intern need Administrator access? No. Give them Editor access.
When I build for agencies, I implement these "Invisible Walls" by default. It means your clients are safer without you having to think about it.