24 Oct Setting Up Minimum Viable WordPress Security
“What would you consider minimum viable security for a WordPress website?”
Thanks Victor that’s a really great question and it’s going to take me a few minutes to answer it because there are a few steps in the process of securing your WordPress website. So without further ado let’s just dive straight in.
Step 1: Choose a good WordPress hosting provider to ensure that you have good account isolation.
The first thing I do is I’d make sure that I’m using a reputable host because it’s very important that you have isolation between accounts on a shared hosting provider. If a host doesn’t provide good isolation between accounts, what that means is if an attackercompromises one account on a shared server they can also access other accounts on that same server and you get the kind of cross contamination. So it’s very important that you choose a hosting provider that knows how to correctly configure their permissions on theirservers so that you don’t have cross-contamination if one of the accounts is hacked on that server.
It’s very rare to see a hosting provider that does not have good account isolation but we do see it about every month or two. It’s usually newer hosting providers and smaller hosting providers as well. That doesn’t mean you shouldn’t choose a small host. There a lot of really really great small hosting providers out there. Just make sure that they’ve been inbusiness for a little while so they’ve ironed out all the bugs and of course that they have a good reputation.
Step 2: Install the newest versions of WordPress core and the theme and plugins you need. Only install what you need and use a reliable source.
The next thing one needs to do is of course install WordPress core. And you always want to choose the newest version of WordPress core when you’re installing WordPress because the older versions have no known vulnerabilities. And if you install an older version it’ll almost certainly get hacked because attackers will exploit those vulnerabilities. So always install the newest version of core available at wordpress.org.
Of course then you need to install your plugins and your themes. You’ll usually just have one theme and you’ll have multiple plugins, let’s say 5 plugins. Always get those plugins and that theme from a reputable source. Get them from wordpress.org or your plugins and your themes from a good reputable commercial provider because there’s something called a nulled plugin or a nulled theme. What that is is an attacker downloads a reputable plug-in and they put their own malicious code in it and then they throw it up on their ownwebsite which looks like a legitimate site but actually it’s not. When you download the plug-in from there you’re getting code that’s already been hacked and your system is then compromised and you’ve got a real mess on your hands. So make sure you get your plugins and your themes from a reputable source.
Step 3: Keep everything updated. That includes WordPress core, your plugins and your themes.
Then of course you have to keep everything up to date. Security is not a single event youdon’t go in and just secure a website or a system you actually have to have a routine, let’s say a weekly routine. So every few days or every week go in and make sure that everything is up-to-date that everything’s secure if you’ve got Wordfence installed it of course it’llsend you emails letting you know you’ve got a theme or a plugin that’s out of date or if core needs to be updated and all. It’ll send you all sorts of other helpful alerts related to security so make sure you keep an eye on those alerts and actually respond to them.
Step 4: Use strong passwords and don’t reuse them. Use a password manager like 1Password if you need to.
The next thing that one should do if you’re setting up minimum viable security is you need strong passwords. That means that your passwords need to be complex. If you’re setting up an administrator account on WordPress we recommend that you have a passwordlength of at least 12 characters and that you choose from lowercase letters uppercase letters numbers and symbols. That way you’ll have a password that’s complex enough so it’s very difficult for an attacker to crack your password if they happen to download the hash of your password.
Also use unique passwords across all of the services that you use. The reason you should do this is because if one of those systems is compromised, the first thing the attacker does is download the user accounts database and try to use those accounts to log into other services and compromise those too. So use unique passwords across all of the services that you use. I know that’s a lot to ask and it’s a real pain and it’s very very easy to remember one short password and use that same password across all of the systems. Butthis is really important. One of the tricks you can use is use a password manager, like one password, to manage your passwords. The password manager will generate a password for you that’s very complex, long and has multiple characters in it. And then of course it’ll store it in a very easy-to-use database that you can then access at some point.
If you really really don’t want to use a password manager you can also use a formula thatyou memorize and use to uniquely generate a complex password in your head for each service that you use. That’s one of the systems that I’ve used in the past and it gives you a way to have unique passwords across all systems. If your passwords complex enough then you’re in pretty good shape
Source of above article can be found on Wordfence Blog