WordFence has started a new video series called “Ask Wordfence” where they answer questions that users have sent to them. The first in the series lists 11 steps to achieve a minimum level of WordPress security.

You can watch the video from their blog or watch and subscribe to their channel on YouTube.

The basic steps they mention are below and my thoughts about each.

WordPress Security Basics

1. Reputable host

Choosing a host shouldn’t just be about price. Many of the cheap hosts also offer a 99.9% uptime guarantee but that doesn’t necessarily mean your site is working properly. As well as the security issues (cross-contamination) involved in shared hosting that WordFence mentioned in the video, there are other things to consider such as site speed, uptime, server load, server load at different times of the day, support availability, quality of support, technical specs of your hosting package etc.

Personally, good support is key for me. If my customers or I have a problem, I want to take care of it right now. So live chat and support are essential. I’ve moved all of my sites and customer sites from hosts before because they were bought out and their support starting getting awful.

2. Only latest versions and a minimum of plugins

It’s considered a no-brainer to always install the latest WordPress but many people don’t realise that themes and plugins are where most hacks come in from. Always get your theme from a reputable source and keep it updated. Also only install the themes and plugins you are using, delete anything extra as those extra files just give more surface area for hackers and bots.

3. Keep everything updated

Wordfence talks about having a maintenance routine such as once a week logging in and updating everything. This is a good idea as you’ll be checking in regularly (you should be updating your blog once a week anyway with new content 😉

4. Strong passwords

Everyone knows that long passwords are a pain to remember but you really should have different passwords for different services and each password should be as strong as possible. Imagine if someone got the password to one of your old Hotmail addresses and decided to try it out on your new email address at Gmail, they then went to your Paypal and gave it a try there too. The same password makes all your accounts vulnerable. I use LastPass to manage all of my passwords. I just have way too many of them. Using a password manager has risks of its own but I still trust that more than a huge A4 sheet with all my passwords on it.

5. Two-factor authentication

If you have this enabled then you’ll have an extra layer of security so that if they guess your password, they still can’t get in. This is an awesome tool for larger sites with more users and the need for more security, however, for most regular sites this is a bit of a pain to setup and use, especially if the site has multiple authors. It’s good that WordFence mentioned it, but it’s not practical for the majority of my customers.

If you have this enabled then you’ll have an extra layer of security so that if they guess your password, they still can’t get in. This is an awesome tool for larger sites with more users and the need for more security, however, for most regular sites this is a bit of a pain to setup and use, especially if the site has multiple authors. It’s good that WordFence mentioned it, but it’s not practical for the majority of my customers.

6. Delete unused accounts and minimum permissions

This is a good practice for all your sites, most people don’t need admin dashboard access. Not only does it make it cleaner and easier for your authors to use the dashboard, it’s also a lot safer. Deleting unused users, plugins and themes should be a high priority as I’ve seen many sites hacked just because of an old contact plugin that’s been left there.

This is a good practice for all your sites, most people don’t need admin dashboard access. Not only does it make it cleaner and easier for your authors to use the dashboard, it’s also a lot safer. Deleting unused users, plugins and themes should be a high priority as I’ve seen many sites hacked just because of an old contact plugin that’s been left there.

7. Don’t use the username ‘admin’

This one is another important one. Also, the display name in your WordPress should be different from your account username to make it harder to guess them. If you want a gold star, you can also treat your username like a password and have it something quite obscure.

8. Backups, backups backups

WordFence mentions using a service to get regular backups and that they should be rolling segregated backups so you can go back in time and restore your site. They make a good point that if your site is hacked on a Monday and you don’t notice it until Thursday, you can’t go back and restore Wednesdays backup because the site is still damaged. Many hosts automatically backup your site, but don’t assume they are, best to check!

9. Automatic updates

The core should update automatically whenever a small WordPress security release comes out so just leave it alone 🙂

10. WordPress security firewall

WordFence mentions that you can do all of the above steps and still get hacked because there can be an exploit in a plugin or theme that they can still access and sometimes it takes time for developers to fix the security hole. During that time your site is vulnerable. That’s the time a firewall is useful. WordFence is a great firewall for WordPress security that has generic protection and more advanced functionality to keep your site safe. I use WordFence firewall to protect the majority of my client’s sites (I use Sucuri firewall for some of the bigger ones). WordFence pro is updated in real-time so threats are cut out straight away.

11. Malware Scan

A malware scan can help you recognise and clean up your site if it’s been hacked already. If bots or hackers are still getting through then malware scanning is your last line of defence to clean up the site before having to restore from a backup. If you have regular backups then, of course, that’s not a problem, however, if your content is updated daily or even hourly, then you’re going to lose some data that way. It’s usually possible to restore a working version of a site from backups and cleaning the database.

It’s great that WordFence is releasing good videos and content about WordPress security. Some of the other firewall developers don’t really give out much information. WordFence wants to educate and help people and not just make a profit, which is awesome. Check out their site and premium version of their firewall.


WP-Ensure

All of the above steps including rolling segregated backups, good hosting, security hardening, updates and firewalls are part of my WP Ensure service. See the pricing and plans page for more information or get in touch if you have any questions.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *