When I develop a site for a client, one of the things I talk about upfront is maintenance. Maintenance includes content updates as well as what I call security. All sites are vulnerable to being hacked but there are ways to reduce your risk.
Update
One of the great things about WordPress is it is constantly being updated. Many of the updates are security updates only. This means a vulnerability has been found nad the update fixes the problem. Not only WordPress but updates to plugins and themes as well must be updated frequently.
Setting up User Accounts
Hackers try to get into your WordPress account in many ways. One of the most common ways is through password phishing. Some procedures around User Account maintenance can reduce your risk:
- Delete accounts not in use
- Only use Admin accounts for administrative tasks
- Use Editor, Author, Contributor and Subscriber Accounts
On the Server
- Delete accounts not in use
- Set up FTP accounts as SFTP
- Disable password Authorization and use Key Pairs
WordPress Login
- multi-factor authentication on wp-admin
- two-factor authentication on wp-login.php
Password Management
- 15 character password – this will take 3 months to crack
- Make your passwords long, complex and unique
- Use Password Managers such as LastPass
- Come up with a scheme for passwords- Example of a scheme is to remember 20 characters, prefix the characters with the site name and end the sequence with some date.
Technical Methods for Reducing Risk
- Kill Php Execution in the WP-Includes, WP-Content and Uploads Folders
- Modify the Wp-Config.php by Disabling the Plugin / Theme Editor
- or disable the plugin / theme updater and installer
<Files *.php>
Deny from all
</Files>
Define('DISALLOW_FILE_EDIT',true);
Define('DISALLOW_FILE_MODS',true);
Use Plugins
- Sucuri Security Plugin
- Theme-Check
- BackupBuddy
- Akismet
- Limit Login Attempts
- Wordfence
- Activity Monitor