19 Realistically easy steps towards hardened WordPress Security
WordPress Security should be a standard mentality regarding anything WordPress related. This means, that a few things should start immediately as you decide to have a website. Our first recommendation is:
Tip #1 - choose your hosting provider carefully:
Use a well-known and trusted hosting supplier who has an exceptional reputation for security and reliability. Price should not interfere and mostly should not work against your security. The cheaper your hosting is, the more problems it will generate along the run. The more problem you have will increase running costs by solving them, or after repeated cases to prevent them.
Tip #2 - strong password:
ALWAYS use STRONG and UNIQUE passwords for your website. Make sure you don't forget your password. Also, make sure, you don't write it down on a paper and stick it to your screen - so when somebody has a meeting with you, they can read it involuntarily and receive a coffee and your credentials. Make sure you don't store a digital version of your credentials, where others have access (like online file storage accounts).
Tip #3 - other people:
Just offer site access to those you work with and trust. Limit account types as much as needed. Avoid giving out admin accounts as much as possible. A simple posting does not need administrative credentials - an author or contributor type is enough. Have more authors? Then their supervisor should only be an editor. Have a dedicated person in charge of your online store? Shop Manager is enough.
Tip #4 - other people's credentials:
Force your users to utilize strong passwords too. Make sure they adhere to the same strict policy you have. Enforcing this eliminates the weakest link from the chain to be the credential related attack.
Tip #5 - unsecured connections:
Don't log into WordPress through an unsecured web connection or network. Don't log in to the admin dashboard through a public WiFi or web café considering that your credentials cannot be tracked. Also, somebody might be watching you enter your login information. At least, if you really must conduct business from a public place, then use your phone to connect to the public wifi, then connect your laptop to your phone.
Tip #6 - other vital credentials:
Don't trust individuals with administrative accounts to your hosting account or social media accounts or online apps you use daily basis. If it is vitally important for them to do their jobs, then create dedicated minimal access to just what they require to gain access to and absolutely nothing more.
Our only security is our ability to change. ~ John Lilly
WordPress Security bypass most of the times happens with compromised hardware. This is the case with public computers (found in hotels, coffee shops, etc) or with company-owned hardware, that is used by the employee's kids or other purposes, that work. Malware and viruses can contaminate your computer, which can spread to not just your WordPress website but numerous countless other WordPress sites. There are a few simple methods, that can guarantee your computer remains as secure as possible. Our recommendations regarding this topic are:
Tip #7 - clean hardware:
Install an anti-virus scanner to prevent malware and infections. Make sure you have your firewall active on your wi-fi router and inside your OS. Schedule routine (daily, weekly) scans of your computer to be sure it's not contaminated.
Tip #8 - up-to-date hardware:
Be sure that the installed software and operating system have the latest patches available to reduce risks. Keep them as up-to-date as possible. At least weekly is a minimal approach and effort for your safety.
Hosting Server Security bypass most of the times happens with missing or misused security. This is the case with low budget hosting solutions or really old hosting setups. A human decision factor is another story, one, that can be easily prevented. Our recommendations regarding this topic are:
Tip #9 - use SSL:
Install and force SSL certificate usage throughout your entire domain(s) or subdomain(s). Make sure every time you access your links, that the padlock remains locked, confirming that the connection is encrypted between your browser and your computer.
Tip #10 - use CDN:
Use a Content Delivery Network (CDN) to assist your site's speed. Second, it will help reduce the impact of DoS and DDoS attacks.
Tip #11 - protect your FTP/SSH:
If you're not currently utilizing SFTP/FTP/SSH, erase any active credentials/keys or disable the feature till the next time you require it, preventing unwanted attention. Same as with any credentials, since they are administrative type - erase it immediately as it is not needed anymore.
Tip #12 - always use the more secure method:
Having multiple options is a godsend. However, from the security point of view is a bad approach to use a less secure option, when you can use a more secure one. Use FTP Secure (SSH File Transfer Protocol, SFTP) rather of FTP/SCP which is unsecured to help avoid your connection from being controlled or monitored. It is more safe and secure.
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!
Compromising the WordPress Security happens most of the times, actually withing itself, from specific reasons. This happens to start with lack of consideration towards security; ignoring totally or simply being oblivious to warning signs. Here we mention a few fundamental ideas to help you start building up the security of your WordPress site.
Tip #13 - limit uploads:
Do not allow users to upload files to your site or thoroughly consider it beforehand considering that hackers could make use of the privilege and upload malware. This applies to image/document uploads, such as avatars and CVs, since renaming a malware file to "image-name.jpg.php" it may slip through the minimal security the upload feature might provide.
Tip #14 - keep WordPress Core up-to-date:
Keep WordPress up-to-date at all times. A short analysis of the WordPress version market share will provide the shocking reality, that 27% of WordPress websites were not updated in the last 9 months. If you consider, that WordPress powers 33% of the internet - the number of suspiciously weak security sites are in the millions.
Tip #15 - keep your theme up-to-date:
All and everything running inside your WordPress is held together by your theme. If WP is your foundation, then the theme is your walls. Keeping holes willingly in your living rooms and in your dormitory and in your bathroom is not advisable.
Tip #16 - keep your plugins up-to-date:
Keeping your plugins up-to-date is again a no brainer. Consider your plugins as your appliances and furniture. You don't want to sit on a wobbly chair; you don't want to sleep on a broken bed or use an electrical appliance, that electrocutes you every time you touch it.
Tip #17 - check your scripts, cookies:
You should also keep your scripts, frameworks, cookies, embeds under check and up-to-date as possible. Not all 3rd party integrations are a security breach, but outdated ones ALWAYS are. Ask somebody to evaluate the code running on your domain. It might shock you what is still running inside your WP if you never did this before!
Tip #18 - avoid old solutions:
Exactly as you steer clear during shopping of over-riped food, you should do the same with plugins, themes and integrations as well. 2-3 years old plugins are something normal to find, with nice reviews and a good score. However, from the security point of view, it is a ticking bomb. The older it is, the more harm can create.
Tip #19 - embrace security:
Even if it configured incorrectly, a security plugin is still more efficient, than none. Don't be scared, enjoy the do-it-yourself liberty or hire a professional. We're in the business to help you. :wink:
Tip #19 - embrace backups:
Having a safety net, it is considered part of the prevention. Do keep a fresh copy of your running DB and the entire domain in a safe place. Set up a backup solution, outside your domain today! Don't be scared, enjoy the do-it-yourself liberty or hire a professional. We're in the business to help you, again. :wink:
Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!