A great article by flyplugins.com, especially for companies who use wordpress.
Tip #1 – Start with a secure foundation
When it comes to security, you want to start with a secure foundation. That secure foundation is your computer or laptop. If your computer or laptop is compromised, then securing WordPress might be the least of your worries as a hacker may have entry to your financial accounts, email accounts, etc.
Make sure you use a strong password for your the login on your machine. Otherwise none of this matters.
There are sites on the internet that can create complex passwords at random. They are more difficult to memorize, but please stay away from using common passwords like “password” or “password123”. Also, please don’t keep a text file or spreadsheet on your computer or even a sticky note on your laptop that has all your passwords (yes, this actually happens). If you have tons of passwords to remember, use an application like LastPass (free) to help organize all those user accounts and passwords.
Physical security is also a big deal, especially if you use a laptop. Make sure it’s always stored in a safe location. Laptops are prime targets for hackers because they are so easy to grab and go. Your laptop has lots of information that hackers would love to get their hands on.
Make sure you are using an anti-virus program on your computer. There are free virus programs that are just as good as the expensive ones that require a yearly subscription. However, the important thing is to have some protection on your computer. Make sure you have your virus definitions updating on a daily basis.
If you want to take this a step further, you can also install a firewall program on your computer. Sometimes the anti-virus application may have a built-in firewall, however, at minimum have an anti-virus program.
Before you jump on a wifi connection, make sure you can trust it. Hackers can setup wireless routers with “free wifi” and once connected, they can sniff all the data transmitted through the router. If possible, use a VPN connection or make sure you don’t access sensitive information on the internet when on public wifi.
Tip #2 – Get on a secure web hosting service
We are currently hosted on WP Engine which has excellent server level security. Not only that, but since they are a WordPress only hosting company, they take WordPress serious. In fact, they have a “plugin blacklist” which outlines plugins that can’t be used on sites hosted on WP Engine. Those plugins are not necessarily bad, but they may contain vulnerabilities or run inefficiently which affects server speed. WP Engine may not suit everyone’s need, however, the point is to make sure you research the level of security that your hosting company provides.
Tip #3 – Setup WordPress right from the get go
This could probably be a blog post in and of itself, however, I will just hit a few major points.
- Don’t use “admin” as the primary administrator account
- Don’t begin your database table names with ‘wp_’
- As always, use strong passwords for the admin account(s)
- Consider using two-factor authentication
There are tons of articles available that can help you harden your WordPress site.
Tip #4 – Stay updated and keep the trash out
When you look at your plugin list, do you notice that there are a lot of updates available? Don’t be that guy! These are not always just new features…they could potentially have security updates rolled into the latest version. It’s absolutely critical to keep WordPress up to date as well as your themes and plugins. I know some individuals are reluctant to update because they are afraid to break their site. I get it. However, most people don’t use test sites to test their themes and plugins.
Since we use WP Engine, each one of our sites has a staging site so we can test any updates before rolling them out on our production site. If you don’t have staging site, it would be worthwhile to get one even if it’s just a subdomain of your current site. You could even setup a local development environment on your computer using MAMP (Apple) or WAMP (Windows)which includes the entire development stack.
Another tip to remember is to only install plugins you trust. The plugins available on WordPress.org are typically pretty safe. They do have code reviewers looking at plugins, however, it’s only on the initial plugin submission. Just use caution with free plugins. Be sure to look at the reviews, the support topics, and the download count as they can be indicators as to whether the plugin is good or not.
A very important tip to follow is NEVER download a premium plugin for “free”. There are many sites out there slinging premium plugins for free, however, they are not safe. The plugins could contain malware and essentially you will end up with an infected website. Not to mention, it’s stealing! Most premium plugins will only provide support if the plugin purchase was legit.
Tip #5 – Secure the goods
Any time I spin up a WordPress site, one of the first plugins that gets installed is Sucuri. Sucuri is a free plugin which performs security monitoring, malware detection, and contains tools to harden your WordPress website.
If you’ve ever typed in the URL to your website only to find the “red screen of death”, then you know what it feels like to be hacked.
Believe it or not, I’ve had this happen to me and it’s no fun trying to figure out where in the world the malware has been added into your site. In fact, you could spend hours on end replacing plugins, WordPress core files, and theme files only to get re-infected.
Sucuri’s scan feature will find malware in a matter of minutes. Then you can begin the process of cleaning your site, changing passwords and hardening your site.
Here is a list of Sucuri’s primary features:
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blacklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
- Website Firewall (cloud based firewall add-on which requires a subscription)
When you first install the plugin, it’s a little overwhelming, however, the first thing you may want to do is scan your site for malware. Go through each option carefully and configure the plugin to meet your needs as it will be well worth the time investment.