This topic divided into 2 parts. First part is about individual security hygiene. Working in a company and using personal devices to get the job done requires strict security discipline. Intrusions do not distinct business and personal devices – they look and find vulnerabilities.
Second part is about securing WordPress web-site. In course of years this became much shorter and simpler.
Part 1. Individual Security
Using strong passwords
1.Shouldn’t be common words, names etc.
2.Should contain caps, letters, numbers, symbols
3.Keep passwords safe (LastPass i.e.)
4.Don’t reuse passwords
5.Don’t use same password for multiple services like FB, Gmail etc.
6. Change passwords every 90 days or sooner if needed
Log out of sessions
1.Working with RMRS Business email, web-site, softwares – always log out after work is done.
2.Do you use devices in public places? Don’t leave computer unattended while you are logged in.
3.Don’t check emails from public WiFi
Antivirus on your devices
1.Which antivirus do you use?
2.There are plenty of free ones like Avast, Avira, etc. Look at TOP-10 antiviruses this year in Google. Choose one. Pretty much every popular paid antivirus has its own free version.
3.Do you scan downloaded files before installation? You should
4.Do you access risky sites having potential security warnings?
Phishing emails – don’t trust:
1.Do not trust emails from unknown sources
2.Check sender’s email address. If it’s empty or the same as yours – delete it
3.If sender is a company you know, but email address is different – delete it
4.Do not click any links in email asking to verify your payments, security issue with your account etc.
5.Do not trust Warnings like your computer is infected and you need to clean it by clicking this link.
6.If possible – see what the link source code is. PayPal example – emails looking like original ones, sent from company–like email address, but links are cheating
7.Company-like looking web-sites – CHECK URL. If it’s different from company main URL – leave that web-site. PayPal.com vs PayPalz.com
8.Email attachments after saving should be scanned
9.AVOID Unsubscribe links in obviously spam emails – don’t click unless you know the sender or it is a reputable company. The thing here is if you “unsubscribe” – it means you technically “confirm” your email address as a real spam target.
Global attacks and threats
1.News say there is global attack on FB, Microsoft Windows, Gmail etc. Pay attention to news like that.
2.If you notice something similar to threat announced on your computer or in email – do not open that.
3.As soon as we use same devices both for work and private life – security procedures should be followed for both as well.
1.Always keep both your devices and software used up-to-date.
Part 2. WordPress site security
There are lots of speculations and things that went outdated in course of time. Let’s break down what is really important and what is not anymore.
1. Have a good hosting. This is #1 thing you should have. Any site can be hacked, but not every web-site can be 100% easily restored.
– have a server which has multiple clouds, so even if whole server is hacked (which is not heard nowadays) – web-sites seamlessly reconnected to another cloud/partition
– make sure your hosting company has daily backup policy and your backups are easy to restore automatically
– you should have 24/7 chat support. Telephone support is worse as your tech guy won’t be able to show support specialist codes, screencasts etc of what’s going on with your site. Chat is better
2. Your WordPress theme. StudioPress, iThemes, ElegantThemes – buy a theme from reputable company which cares about security and constantly being updated.
3. Plugins. Needless to say they must be up-to-date. Another thing rarely discussed – lots of free plugins are being abandoned and not updated for years. Make sure you don’t use those – as they are favorite gates for all kinds of intrusions.
4. Passwords. Your passwords are random combination of small and caps lock case letters, numbers and symbols. At least 8 characters.
5. Users. Delete not used users. Do not create admins without real need. Generally subscribers, editors are good enough.
6. Do you need to hide /wp-admin default login URL? – NO, not anymore. There are plenty of other ways hackers finding vulnerabilities.
7. Disable XML-RPC. It will ease brute force attacks protection.
8. Using security plugin. At your choice. If you are not sure in your hosting and security of themes and plugins – go for it. Make sure to test it before though. I.e. iThemes security we used for years breaks our site with new updates. Security plugins are good in limiting bad login attempts though – which could be really helpful if your site is being constantly attacked.
9. Do you need to disable crawling of /wp-admin directory with robots.txt. You can. Is it really helpful? Not much.
10. File permissions. Needless to say 777CHMOD of any of your files or directories is open gate for anything. CHMOD .htaccess to 444, CHMOD wp-config.php to lowest number your hosting allows. Make sure your site is accessible after that though.
11. Your database prefix should be different from wp_
Part 3. Most important.
Honestly – there are THREE most important things in this world everyone must be really cautious of:
1. Password to the hosting company.
2. Password to the domain registrar.
3. Password to your personal GMail and Youtube account, which are associated with above 2 items.