19 Realistically easy steps towards hardened WordPress Security
WordPress Security should be a standard mentality regarding anything WordPress related. This means, that a few things should start immediately as you decide to have a website. Our first recommendation is:
Tip #1 – choose your hosting provider carefully:
Use a well-known and trusted hosting supplier who has an exceptional reputation for security and reliability. Price should not interfere and mostly should not work against your security. The cheaper your hosting is, the more problems it will generate along the run. The more problem you have will increase running costs by solving them, or after repeated cases to prevent them.
Tip #2 – strong password:
ALWAYS use STRONG and UNIQUE passwords for your website. Make sure you don’t forget your password. Also, make sure, you don’t write it down on a paper and stick it to your screen – so when somebody has a meeting with you, they can read it involuntarily and receive a coffee and your credentials. Make sure you don’t store a digital version of your credentials, where others have access (like online file storage accounts).
Tip #3 – other people:
Just offer site access to those you work with and trust. Limit account types as much as needed. Avoid giving out admin accounts as much as possible. A simple posting does not need administrative credentials – an author or contributor type is enough. Have more authors? Then their supervisor should only be an editor. Have a dedicated person in charge of your online store? Shop Manager is enough.
Tip #4 – other people’s credentials:
Force your users to utilize strong passwords too. Make sure they adhere to the same strict policy you have. Enforcing this eliminates the weakest link from the chain to be the credential related attack.
Tip #5 – unsecured connections:
Don’t log into WordPress through an unsecured web connection or network. Don’t log in to the admin dashboard through a public WiFi or web café considering that your credentials cannot be tracked. Also, somebody might be watching you enter your login information. At least, if you really must conduct business from a public place, then use your phone to connect to the public wifi, then connect your laptop to your phone.
Tip #6 – other vital credentials:
Don’t trust individuals with administrative accounts to your hosting account or social media accounts or online apps you use daily basis. If it is vitally important for them to do their jobs, then create dedicated minimal access to just what they require to gain access to and absolutely nothing more.
WordPress Security bypass most of the times happens with compromised hardware. This is the case with public computers (found in hotels, coffee shops, etc) or with company-owned hardware, that is used by the employee’s kids or other purposes, that work. Malware and viruses can contaminate your computer, which can spread to not just your WordPress website but numerous countless other WordPress sites. There are a few simple methods, that can guarantee your computer remains as secure as possible. Our recommendations regarding this topic are:
Tip #7 – clean hardware:
Install an anti-virus scanner to prevent malware and infections. Make sure you have your firewall active on your wi-fi router and inside your OS. Schedule routine (daily, weekly) scans of your computer to be sure it’s not contaminated.
Tip #8 – up-to-date hardware:
Be sure that the installed software and operating system have the latest patches available to reduce risks. Keep them as up-to-date as possible. At least weekly is a minimal approach and effort for your safety.
Hosting Server Security bypass most of the times happens with missing or misused security. This is the case with low budget hosting solutions or really old hosting setups. A human decision factor is another story, one, that can be easily prevented. Our recommendations regarding this topic are:
Tip #9 – use SSL:
Install and force SSL certificate usage throughout your entire domain(s) or subdomain(s). Make sure every time you access your links, that the padlock remains locked, confirming that the connection is encrypted between your browser and your computer.
Tip #10 – use CDN:
Use a Content Delivery Network (CDN) to assist your site’s speed. Second, it will help reduce the impact of DoS and DDoS attacks.
Tip #11 – protect your FTP/SSH:
If you’re not currently utilizing SFTP/FTP/SSH, erase any active credentials/keys or disable the feature till the next time you require it, preventing unwanted attention. Same as with any credentials, since they are administrative type – erase it immediately as it is not needed anymore.
Tip #12 – always use the more secure method:
Having multiple options is a godsend. However, from the security point of view is a bad approach to use a less secure option, when you can use a more secure one. Use FTP Secure (SSH File Transfer Protocol, SFTP) rather of FTP/SCP which is unsecured to help avoid your connection from being controlled or monitored. It is more safe and secure.
Compromising the WordPress Security happens most of the times, actually withing itself, from specific reasons. This happens to start with lack of consideration towards security; ignoring totally or simply being oblivious to warning signs. Here we mention a few fundamental ideas to help you start building up the security of your WordPress site.