Security is a fresh topic here, so I thought I will provide you some helpful information about securing your wordpress website.
Please note that this is regarding wordpress security because it is one of the most used CMS and powers almost 48 % of the websites online, secondly I have almost 10 years of experience on the platform and also the lessons I have learned over the multitude of attacks that have happened over this course of time on my website as well on my client websites.(I don't make websites I am mostly the person people call through reference when the shit has hit the fan in WordPress) The points in * are non negotiable for me.
So here is the run down which you can use as a checklist as well for securing your wordpress website.
- Do not use nulled plugin or cracked plugin on any money site.
- Chage your wp-admin login page asap, most bruteforce attack happens on those.
- *Use good hosting company, a lot of times cheap hosting companies do not lock folder structure properly, so someone else hosted on the same server might infect your wordpress. Excellent rule of thumb is to avoid any host which says unlimited space or 15 rs for 1 site hosting.
- Keep your wordpress updated
- Keep your plugins updated(sometimes updates also have vulnerabilities, but we address that in the next step)
- *Keep backups - My backup strategy is 365 incremental backups(versioning on amazon cloud) , weekly backups on google cloud and server mirroring.Free plugin to use for basic backup is updraft.
- *Run daily virus scanners recommended ones are : getastra,virusdie,wordfence,Webarx,sucuri,incapsula . I ensure one scan is always running, If I detect even small anomaly I run 2 -3 of them at a time (yes I am a paranoid person )
- Harden your word press(google for more details)you can do it with sucuri free plugin.
- Firewall is super simple in wordpress to apply but if you are doing it yourself ensure it works. https://wpnewsify.com/blog/server-level-firewall/
- For protection against phishing use 2FA authentication it's free and even if someone jacks your pass they cannot login (Please have the discipline to not use same password everywhere , otherwise profile hack might give some other access to some other tool you use without 2FA in case of phishing.) Free plugin : https://wordpress.org/plugins/wp-2fa/
- If you are doing local wordpress development before development ensure that your pc is clean(goes without saying use a antivirus on your computer)
- I definitely recommend SSL for preventing middleman attacks, any hosting that does not provide it free fuck that hosting company move on to some other one(Godaddy is a bitch)
- Further security measure is to make a static version of your site with plugins like wp2static.
- If you get your word done on fiverr change password after the project is done, and ideally make a secondary account which you delete later.
Doing this will put you in top 5 % of wordpress sites. Security and privacy has always been something I have always fascinated with, most of the stuff you can do yourself, These steps will ensure that you don't suffer the way I did with sleepless nights trying to figure wtf happened to my site and why is it redirection etc.
We are currently working on building a 360 care program for wordpress sites at affordable costs, one of the challenges we are facing is to build a machine like workflow to the process because all websites built on wordpress are not equal.
We want non-techie people to focus on what they are good at but at the same time security does not become a bleeding cost for startups or soloprenuers who are using wordpress, I will certainly do a pushlaunch when things are ready :)
If you have faced any issue and you think I have not covered here, feel free to put in the comments.