Several factors are involved in WordPress security, and many people neglect, forget or ignore some of them.
Table of Contents
Server security guidelines
Keep your server updated
Security will start with the server wherever you are, and many people are on completely obsolete servers.
Check your site’s PHP version. Are you on a PHP 5.4, 5.6 or 7.0? These are all PHP abandoned versions, even if they are “Hardened PHP”. But this is no fault of the user, since you are not a professional of the subject. This is an issue of some hostings, that want to amortize the servers until the last minute.
We must start by having websites on servers that really care about customers, and not just making money and amortizing servers that have to tighten the screws every day. The first thing we should look at is a hosting that really cares about these issues or if we are already in a hosting, look if you can update your server to PHP 7.1, 7.2, 7.3 or even 7.4. My recommendation is to stay in 7.3, since with 7.4 you can have some problems with some plugins.
Isolate all your accounts under the same server
We must also ensure that the accounts on the server are isolated. If we have one account under our server that gets hacked, hackers won’t be able to jump to other accounts. Although it may seem improbable, this is possible unless the server has taken the proper measures, and not all servers take them.
If your server has protection measures against hacker attacks, even better.
Perform routinary server WordPress Backups
Another thing that would be important is for the server to perform backups, but that does not mean you must trust your server one hundred percent. Unless they guarantee it, you should also make your own backups.
Verify that your server is not indexing your own directory
Verify that you are not indexing your own directory. This is key for the security of your site as hackers could get to see the content of your server. See this example:
Get and activate an SSL certificate
Your website must be under a security certificate. It doesn’t matter if its Let’s Encrypt (it’s free, so if your hosting charges you for it get out of there right now!), or the most expensive in the market.
Ok, let’s say we already have the perfect secure server. It’s our turn now.
User security guidelines
Make a proper database installation
Get a difficult to remember database name, username, and password, and do not worry about its complexity.
The database prefix should never be “wp_”. Add whatever you want but NEVER “wp_”.
IMPORTANT: Never create your own password unless you know how to generate them. If you don’t know how to do it, you will use predictable human patterns.
Follow the proper use of WordPress usernames and roles
The WordPress username that we will create should be a combined name like «Guillermo of Toronto». In fact, this is the best way to avoid brute force attacks.
The user that we are creating in the installation, we will turn it into «Editor» after creating a new administrator. When publishing new content, we will always publish as Editors, and never as Administrators. This is a basic safety rule. That does not mean that we should access with one or the other depending on what we are going to do, we can always access as Administrator, and when publishing, select as written by the Editor.
Use password managers
We must save our web passwords in password managers that apply proper methods to protect them like LastPass. Do not use Word or Excel to save passwords. Apart from being absolutely insecure, it will very difficult to find your passwords in the future.
Avoid using free wifi connexions
Never access a site that needs a password through an open/free/free Wifi. It can be a trap to capture your traffic and all your access data.
Use a good antivirus
Buy a good antivirus on your computer to avoid Trojans that can capture all your credentials.
Always log out of your own installation
Of course, never forget to log out of your installation if you are not on a computer of yours. If it happens to you, access WordPress immediately, go to your profile and close all sessions.
Keep your WordPress installation up to date
WordPress, like any other software, is exposed to bugs, either operating bugs or security bugs, as well as the theme or plugins that you may have installed.
You should always update WordPress to the latest version. Never deactivate the automatic core updates. The only reason to do so is that the WordPress Core has been modified, which I consider an aberration. You should never modify the WordPress Core, there are WordPress hooks for this same reason.
Also, you must update the theme and the plugins you have. If you use Premium plugins, make sure you can update them, either because you have the license or because your Premium theme updates them.
Many people think they are a ‘nobody’ in the industry, so why are they going to hack them? The issue here is that hackers don’t want to hack ‘you’ particularly but to hack YOUR ACCOUNT to use your server’s resources, get backlinks, or inject malware to everyone who visits your site. In fact, many times you don’t even know you’re hacked.
If we follow all of the above recommendations, we will be using our installation correctly and safely.
Do you need help with your website?
Check our web maintenance plans
Hey, but I haven’t talked about security plugins! No, I have not. Again, if we follow all of the above recommendations, and especially the issue of updating everything and downloading things from just official sites, we won’t need any security plugins.