WordPress Security Best Practices:
The Definitive Guide (2017)

When it comes to running your WordPress website, you want to make sure that you abide by the WordPress security best practices.

Considering the dangers that can come from online threats, it’s imperative that you’re doing so safely and effectively.

Regardless of the kind of site you run, everyone can benefit from following these WordPress security protocols.

WordPress Security Best Practices

CONTENTS

Chapter 1 Icon

CHAPTER 1

Online Safety: Crash Course

Chapter 2 Icon

CHAPTER 2

How Is WordPress Affected by These Threats

Chapter 3 Icon

CHAPTER 3

Common WordPress Mistakes

Chapter 4 Icon

CHAPTER 4

Using Plugins to Your Advantage

Chapter 5 Icon

CHAPTER 5

Finding the Right Host

Chapter 6 Icon

CHAPTER 6

WordPress Security Best Practices

Chapter 7 Icon

CHAPTER 7

WordPress Security Vulnerabilities

Chapter 8 Icon

CHAPTER 8

Protecting Your Audience

Chapter 9 Icon

CHAPTER 9

WordPress Backup Basics

Chapter 10 Icon

CHAPTER 10

What If I’m Hacked?

Chapter 11 Icon

CHAPTER 11

WordPress Security Checklist

CHAPTER ONE:
Online Safety Crash Course

The internet is a big place, and threats can come from anywhere.

An estimated 63% of computers are controlled by hackers (source) and that percent will rise if we don't stay vigilant.

Why do you need to know this?

It’s important that you recognize all of the potential areas where your WordPress site could be vulnerable.

Chapter 1 Online Safety A Crash Course

Understanding The Possible Threats

Online threats can come from anywhere.

This includes the computer you use to update your website.

 

The basic security steps start at you computer.

You should have a firewall and a computer virus scanner to prevent getting hacked.

Another form of threat that are most common are sent via email.

Phising And Spam Emails

Source

Every day, millions of emails are sent, so it makes sense why hackers and viruses are sent through email.

Just like this one...

Online Email Threats

It looks legit right?

There are 6 well-known types of threats that can take advantage of your WordPress security vulnerabilities:

  • Viruses and Malware

    In many cases, the threat will come from malicious software trying to access your website and possibly your computer.

    These programs can target sensitive information, or they could simply try to disrupt your site’s systems, causing it to crash.

  • SQL Injection Attacks

    SQL injection is a common form of attack.  SQL inject can steal user information such as credit card, passwords, etc.  But in most cases, it is used to take over websites.  As reported by Acunetix, SQL injection is a high severity vulnerability.  

    Wordpress Sql Injection Test

    23% of the scans they executed were vulnerable to SQL injection.

  • Ransomware

    Ransomeware is fast becoming a favorite scheme among hackers.

    Threatening your site with an attack unless you pay a fee to keep it safe.

    Ransomware Damages

    Source

    The United States is by far the most vulnerable country, with almost two-thirds of victims willing to pay the ransom, which means that it will only get worse over time.

  • Big Brother

    Recently, we’ve seen situations where governments are using targeted attacks to disrupt systems or retrieve potentially sensitive information.

    Whether it’s Russia hacking the US election or North Korea trying to access bank software, sometimes the threat can be much more than a hacker in a basement.

  • Email Scams and Phishing

    Sometimes, the call can be coming from inside the house, especially if hackers have access to accounts that are in your contact list.

    This way they can gain entry much more easily without having to rely on brute force attacks.

  • Denial-of-Service Attacks

    Attempts to disrupt the network by cutting out service.  

    Networks are invaded with high volumes of connection requests, shutting it down.

  • Forcing Their Way In

    If you’re not familiar with a brute force attack, it’s when hackers overwhelm your security systems with wave after wave of software.

    Eventually, the system crashes, and they can access all of your sensitive data.

So What Can You Do About It?

First and foremost, you can understand where your WordPress security vulnerabilities lie and take steps to correct the issue.

In many cases, simply updating your WordPress and taking extra precautions about storing sensitive data can be all you need to make sure that your site is safe.

Update WordPress Plugins And Themes

The other part of being safe on the internet is that if you become vulnerable, you can put others at risk.

If your site gets infected, it could spread to your users without their knowledge and become an even bigger problem.

Also, considering that WordPress is an open-source program, if you are hacked, then it could affect the millions of people who rely on the system to run their sites.

In the end, we must all do our part to ensure that we are following WordPress security best practices.

CHAPTER TWO:
How Is WordPress Affected by These Threats?

Since WordPress is an open-source platform, that means that anyone can go in and make updates to it.

It also means that anyone can create programs and plugins to work with WordPress.

While this level of interactivity can be beneficial for a lot of reasons, the fact is that it also opens it up to a fair amount of risk.

Chapter 2 How Is WordPress Affected By These Threats

Is WordPress Safe to Use?

At its core, WordPress basic programming is more than secure enough for users to utilize it without worrying about surprises lurking inside the code.

The problems begins when you forget to update your WordPress install or when you start to adding plugins and other add-ons.

WordPress Basic Programming

According to research, over 83% of sites that used WordPress were vulnerable to attacks.

83% Of WordPress Blogs That Are Hacked

Image Source

Out of the ten most insecure plugins, half of them were commercially available for purchase.

That shows how easy it can be to become a victim of online threats.

Don’t Make Assumptions

For most WordPress users, they think that all plugin codes have been tested and retested for security breaches, but many of them aren’t.

In fact..

some security plugin can be vulnerable to attack, which means that you can’t even trust plugins designed to keep you safe. 

In many instances, site builders believe that they can make simple changes that will offer total protection, or they believe that they are not important enough for hackers to target.

This is a mistake.

WordPress  protection is needed If you want to follow the best security practices for WordPress.

You need to be proactive, not reactive.

Always Do Your Homework

Considering that plugins and other add-on programs are the most significant source of vulnerabilities, you have to take extra precautions to ensure that what you’re using is safe.

I will go over some more details about testing plugins later,.

The important thing to keep in mind is that you want to plan for the worst and hope for the best.

As soon as you let your guard down, your site can be attacked. 

CHAPTER THREE:
Don't Make These WordPress Mistakes

Many users, especially first-time users, make some common mistakes.

Absent-mindedness or just not knowing what to do will make a website easy to hack.  

Before I jump into getting your website protected, here are some common mistakes to avoid.

Chapter 3 Don't Make These WordPress Mistakes

#1 Bad Hosting Company

While the onus is ultimately upon you to make your site secure, the fact is that you are only part of the equation.

If you have a bad hosting company that doesn’t offer secure servers, then you could be setting yourself up for failure.  41% of blogs get hacked because of their web host.

You’ve Got A Bad Host

Image Source

(I'll share with you my top hosting companies in chapter 6.)

Be sure to use reputable hosts to get your site online, and check to see if they follow WordPress security best practices. 

#2 You’re Too Old for This Sh**

How often are you updating your WordPress Install?

Furthermore, do you have the latest version of WordPress and all of your various plugins?

Go to your WordPress Dashboard and click Updates.  

You will see all the updates you need to  for your install.

How To Update WordPress Plugins

Updates come out all the time, which means that if you don’t stay on top of them, you could wind up with obsolete WordPress install or plugins, which is a hacker’s dream.

#3 That’s a Weak Password, Bro

For many people, their passwords can be their undoing.  If you are using the same one for multiple sites, that means that hackers can access each one if they figure it out.

Similarly, if you use simple passwords that are easy to crack, you are leaving the keys in the front door of your house.

Weak Passwords

Not only should you have a strong password (including letters, numbers, and capitalizations), but you should change it often so that it never becomes a problem down the line. 

How To Change Your Password In WordPress:

Click on users and choose your user account.

WordPress will choose a random password for you.

Change WordPress Password

#4 Not Cleaning House

It’s easy to accumulate plugins and other old data remarkably fast.

Unfortunately, as it sits around unused, it can be exploited by hackers to gain access to your site.

Even if the information itself is not “valuable,” it could be hiding a clue that they need to figure out the best way to get into your website.

#5 Who Do You Trust?

Never download a plugin from a source that isn’t reputable.  WordPress.org popular is a good place to start.

Trusted WordPress Plugins

There are several ways to verify the source, including looking at user reviews and number of downloads.

But it’s better to keep a sharp eye on all WordPress plugins, especially if they are new or seem too good to be true. 

#6 Failing to Backup Your Website

Backups are crucial to securing information. Even if your website is hacked, you can recover any files.

The Ransomware attack proved how difficult it can be to recover stolen data and media.

I will cover backups in more details in Chapter 9.

Keep reading…

CHAPTER FOUR:
How To Use Plugins to Your Advantage

Plugins are useful tools that will enhance your website, and make it more enjoyable.

Even though I've been highlighted the fact that third-party programs such as plugins can be a huge part of the security problem, the reality is that many of them can be incredibly helpful.

Before I give you access to the top security plugins for WordPress, these are steps you need to make sure you are choosing the right plugin.

Chapter 4 How To Use Plugins To Your Advantage

How to Verify if a Plug-In is Safe

As you have probably noticed, plugin links go to the WordPress page that describes the plugin, rather than the original site itself.

The reason I did that is so that you can pay attention to a few critical points.

  • Number of Active Installs

    This shows you how many people are using the plugin.

    Number Of Active WordPress Installs

    The higher the number, the better the odds of it being more trustworthy, as more people are using it and providing sample data.

  • Last Updated:

    You want to avoid plugins that haven’t been changed or amended in the last six months or so.

    Wordpress Last Updated

    Since hackers are always trying new attacks, it’s imperative that your plugin stays up to date.

  • Rating:

    while this is not a perfect way to monitor the validity of a plugin, it can provide valuable insight when you read what other users have to say.

    Wordpress Rating

    Be sure to read both positive and negative reviews to get a better sense of what to expect.

  • Support:

    This metric shows how many problems have been resolved in the last two months.

    Wordpress Plugin Support

    This can show you how responsive the plugin’s creators are and give you an idea of how reliable the program is.

Now that you can know how to choose the right plugin for your business, below are my picks for the top WordPress security plugins.

Top WordPress Security Plugins

#1 iThemes Security Pro

This is the number one plugin to keep your site safe, and it comes from the team at iThemes.

IThemes Security Pro

It is highly rated and will provide comprehensive security for your site, such as making sure your software is up-to-date and that you are protected from brute force attacks.

#2 All in One WP Security and Firewall (FREE)

What I like about this plugin is that it not only scans your site for vulnerabilities and shows you how to fix them.

All In One WP Security & Firewall

But it also provides a grading system so that you can easily see where you’re at and how much you need to improve.

#3 VaultPress (from $9 a month)

One issue that plagues most WordPress sites is that they don’t have backups in case something happens.

VaultPress

VaultPress solves that problem by updating and saving your data on secure servers every day. Not only that, but you get standard monitoring and protection as well.

#4 Sucuri Security (FREE)

This is a comprehensive plugin that monitors all activity on your site and scans for vulnerabilities.

Sucuri Security

Also, it will provide a rundown of issues that need attention so that you’re never wondering if something is missing from your protection. 

#5 Wordfence Security (FREE)

With over twenty million downloads, this is one of the most popular WordPress security plugins.

Wordfence Security

It offers real-time scanning, including if someone is trying to hack your site. It also provides solutions to any safety problems so that you can stay protected at all times.

CHAPTER FIVE:
Finding a Suitable WordPress Host For Your Business

As I mentioned earlier, you are but a piece of the online security puzzle.

This means that while you can do your part to ensure that your site is safe and secure, you can’t always guarantee 100% security since you have to rely on your hosting service to cover the gaps.

Chapter 5 Finding A Suitable WordPress Host

When trying to find the right host, you need to pay attention to some details regarding how it stores and handles your data.

While user reviews and longevity can give you an accurate picture of what to expect, these features will take it a step further.

A Secure Datacenter

Check to see where their servers are located and how they are protected not only from cyber attacks but physical ones as well.

You don’t want your site to go down because of a natural disaster, so be sure that the datacenter is in a prime location that won’t be affected by such things.

Back that Data Up

Some hosts offer services that will backup all of your website files to a secure server automatically.

This can be a huge help in the event of an attack as you can restore your site much faster without losing data or programming in the process.

Up-time Guarantee

In some cases, web hosts will offer guarantees that your site will never experience any downtime.

Website Uptime

Typically speaking, these offers are for 99% uptime, and you can get reimbursement if it ever dips below that percentage.

Positive Reviews

If possible, try to find reviews of your host on a third-party website.

This will ensure more accuracy and better overall image of the company.

See what security issues other customers had in the past and see if the host took steps to correct the problem or if they ignored it.

Here are my top WordPress Host picks

Just in case you decide to use a WordPress host, these are the WordPress hosting providers I hand pick for you:

DREAMHOST.COM

Dreamhost WordPress Hosting

This host makes it super easy to get started with WordPress, so if you want to get up and running ASAP, this can be a fantastic option.

Best of all, they offer a 97-day money back guarantee if you change your mind. 

BLUEHOST.COM

Bluehost WordPress Hosting Review

This is another fantastic option for WordPress.

The prices are decent, and you can get a lot of added features with your plan.

This host is ideal if you want to do a lot with WordPress. 

HOSTGATOR.COM

Hostgator WordPress Hosting

This is one of the most highly rated hosting sites out there.

The prices are competitive, and the customer service is fantastic.

Best of all, Hostgator has one of the fastest networks you can find, which means that your site will load much quicker than the competition. 

LIQUIDWEB.COM

Liquidweb WordPress Hosting

This host has much higher prices than most, but you’re getting a lot more in the way of quality and service.

They will take care of you much better than any other host on here, and it will make it much easier to build a comprehensive website that will outshine your competitors.

This is the ultimate WordPress host.

CHAPTER SIX:
WordPress Security Best Practices

So far, we’ve seen how online threats can undermine your WordPress site,

but now is the time to implement solutions to the most common problems.

Chapter 6 WordPress Security Best Practices

Security is an Ongoing Process

One thing to keep in mind is that, regardless of the specific methods you use, online safety is something that has to be maintained on a regular basis.

Don’t assume that because your site is “secure” today that it will be the same tomorrow.

You should always be on the lookout for new threats, and you should be reacting accordingly.

As they say, an ounce of prevention is worth a pound of cure.

Update Your Software (Constantly)

While WordPress itself doesn’t have updates on a near constant basis, your plugins most likely will.

Also, if you have a bunch of different plugins installed on your site for various reasons, then odds are that one will need to be updated almost every day.

Part of your daily procedure should be checking for updates and install them.

Download And Update WordPress

Also, don’t rely on automated systems to do this for you, as they can sometimes miss things.

Change Your Password

If you are worried that you will keep forgetting your password as you change it, one method to keep it relatively simple is to randomize it with capitals and numbers.

Change WordPress Password

For example, instead of using Password, you can change it to P@ssW0rd instead.

This way you remember what it is and it will be much more secure.

But using the random password tool provided by WordPress is the best option for creating passwords.

Enable Lockout Protection

If a hacker tries to access your site, there’s a good chance that he or she will make several attempts to do so.

You can use the plugin Login Lockdown to prevent this.

Login Lockdown WordPress Plugin

If you don’t make sure to limit the amount of attempts that can be made, a hacker could invariably gain access through sheer luck.

After you install the plugin, you will see this on your login WordPress Website Login Page.

Login Lockdown Login Page

 

Least Privilege Principle

If you have multiple people working on your site, they shouldn’t all have access to the same information.

You want to prioritize access for those who need it (such as administrators) and limit it to those who don’t.

This principle is based on the idea of breaking down sensitive information into tiers and providing clearance accordingly.

Use Two-Factor Authentication

the two step authentication may seem like a pain every time you have to log in, it will provide ample security to your site without making any significant changes.

Use Two Factor Authentication

This system can also prevent brute force attacks since you have double the protection.

The 2 two step authentication plugins I like are: 

#1 Shield Security

Shield Security Two Step Authentification Plugin

This plugin is simple to use with some very powerful features. 

This includes:

  • Two step authentication.
  • Blocking malicious links.
  • Keeping spam bots out.
  • Disable automatic updates.
  • No more brute force attack because it prevents it.
  • And so much more...

 

#2 Google Authenticator

Google Authenticator Two Step Authentification Plugin

This plugin is very secure and the two step authentication easy to set up.

This includes:

  • Two step authentication via mobile.
  • And so much more...

 

Backup Your Data Frequently

You should be doing this already, but if not then now is the best time to start.

Backup Your WordPress Website Data

This way you can quickly recover after an attack and keep your site up and running without missing a beat.

You should have multiple backups as well, just in case one of them gets compromised somehow.

Create a Better Username

If you are still using the default “admin” as your username, then you are simply asking to be hacked.

Make it something unique that won’t be easy to guess. The harder you make it for hackers to gain any traction, the more likely you are to repel an attack.

Overall, when it comes to preventing WordPress security vulnerabilities, you want to take extra time to do things the right way, rather than trying to make things easier on yourself.

In the end, if it’s easy for you to access your site, it will be the same for a hacker.

Advance Edits To wp-config.php File

When you install WordPress, one of the most important file is wp-config.php.

It contains important information such your as databases details (username and password) that allows WordPress to communicate with the database store.

You can make changes to the wpconfig.php file to help secure your WordPress website.

Below are some of the changes you can make to help secure your website.

Wpconfig Sample File

WARNING: Before you make any changes, please make sure you backup your website. Just in case you need to do a restore.

Change Your Database Prefix

A database prefix by default start with wp_.

Changing your data prefix  will make it difficult for hackers to hack your website.

Change it to something random.

For example: wesd_.

You can make this change via the wp-config.php file:

Change Your Database Prefix

 

Change Your Security Keys

WordPress Security Key is used to improved encryption and store cookies.

The keys are, AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.  You can use the WordPress API to change your security key.

After you get your key, you can replace them in the wp-config.php file.

WordPress Security Key

Here is a sample security key.

WordPress Security Key Sample

Force the Use of FTPS

Most website hosting company will give you the ability to use FTPS.

To force FTPS, add the following line to your wp-config.php file:

define('FTP_SSL', true);

Force your Website To Use SSL

SSL certificates is becoming the norm for website.

If I don't see the green secure lock in the address for a website, I will not make any purchases form that website.

Force SSL Connection

To force your website to use SSL, add the following line to wp-config.php:

define('FORCE_SSL_ADMIN', true);

Secure WordPress With htaccess

The .htaccess is a one of the most powerful configuration file you can use to secure your WordPress website.

This file is located in the root of your website.

In some cases .htaccess might be hidden.  Do the following to make it visible.

Log into your cpanel ( or your file manager):

Click on file manager

How To Access Cpanel File Manager

Click settings in the top right

Settings In Cpanel Top Right

Make sure Show Hidden Files (dotfiles) is checked and click save

Select Hidden Files And Save

Htaccess Is Now Visible

Now that your .htaccess file is visible, you can make changes to it by using your favorite editor.

But before you edit the .htaccess file, I can't stress this enough, make a backup.

You can simply copy it to your computer.

Below are some changes you change add to the .htaccess to help secure your WordPress website.

Protect Your wp-config.php

Copy and past the code below in your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

Protect Your /wp-contents/ Directory

The /wp-contents/ is in the root directory.

This directory contains your themes, plugins, and media files.

Copy and past the code below in your .htaccess file:

Order deny,allow
   Deny from all
   <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
   Allow from all
   </Files>

Your Protect the PHP Configuration File

Copy and past the code below in your .htaccess file:

<Files php.ini>
   Order Allow,Deny

   Deny from all
</Files>

Protect Your WordPress Login Page

You can use the WPS Hide Login plugin to protect this section of your website, but you can also use the following below (change 123.123.123.123 to your IP address.  To find your IP address go to what is my ip address.):

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
</Files>

CHAPTER SEVEN:
Check Yourself for WordPress Security Vulnerabilities

While it’s helpful to go through your site and make changes and corrections on the back end, the fact is that you can find out much more about potential problem areas by thinking and acting like a hacker.

Fortunately...

there are tools you can use to test your site’s security by essentially trying to break in from the outside.

Chapter 7 Check Yourself For Vulnerabilities

How to Spot Issues and Resolve Them With Scanners

If you’re not familiar with how to hack your own website, then you will most likely want to use a program to do it for you.

The way it works is that it tries to gain access to your pages through various routes, including trying to get in through plugins or gaps in your security.

These four scanning services will do the job well for you.

#1 WPScans

This is a reliable scanner that lets you check your site for free.

How To Use WPScans To Scan Your Website

All you have to do is type in the web address, and you’ll get a pretty comprehensive report.

There are a few ways that you can do it, such as:

  • Deep Scanning: go into your site’s coding to find problems
  • Quick Scanning: ideal for checking up on your security system
  • Automatic Scanning: I recommend this option to stay on top of your safety
  • Push Notifications: know instantly if there is a problem
  • Scan Multiple Sites: if you are an admin for a few different WordPress sites, this scanner can check them all.

Here is Video Tutorial on how to use WPScans:

#2 Securi SiteCheck

Considering that Securi is also a plugin designed to protect WordPress sites, it makes sense that it would also have a scanner to spot any potential issues.

It is fairly easy to use:

Sucuri Site Checker Enter Your Domain

Site checker Results.

Sucuri Site Checker Results

Best of all, it’s free. Here is what you can expect with this service. 

  • Malware Scanning: check your site for the latest dangerous programs
  • Malware Monitoring: stay up-to-date on new threats
  • Advanced Scheduling: set automatic scans so that you never forget about it
  • Malware Removal: if Securi finds something, it can remove it for you

#3 WordPress Security Scan

To get a more comprehensive service, you will have to pay some money for this scan, but it is worth it to get a deeper scan of your site to see where you could get hit without even knowing it.

To scan your website do the following:

  • Simple: just enter your site’s URL
  • Fast: get results in seconds
  • Detailed: scan will show you all potential issues with a report highlighting them

WordPress Security Scan

Your website scan results:

WordPress Security Scan Results

There is a free passive service for checkups as well.

  • Simulates a Brute Force Attack: this will put your security plugins to the test
  • CrossCheck Plugins with Malware: make sure that your add-ons are safe
  • Enumerate Users: this will help if a hacker does try a brute force attack

#4 WPRecon

This scanner will not only check your site for vulnerabilities, but it will continuously monitor it for changes as well as update itself to check for new threats as they come out.

WPRecon Site Security Checker

WPRecon Site Security Results

It’s free to use and does a decent job of providing detailed feedback.

  • Updates its Database Daily
  • Scans Your Site Instantly
  • Provides Feedback on Your Most Vulnerable Areas
  • Delivers Ongoing Maintenance

As you can see, using a scanner is a fast and efficient way to get WordPress hacker protection.

What I would suggest doing is to use each scanner and then go with the one that provides the most information.

So, for example, if WPRecon spots an issue that the others don’t, it could be your ideal choice.

CHAPTER EIGHT:
Steps to Protecting Your ECommerce Store

While getting hacked can be a huge mess,

the fact is that you don’t want to ruin your online reputation by having a tainted website that infects user’s computers.

Not only will this drive traffic down, but it could get you blacklisted from Google if they think that you are a threat.

Chapter 8 Steps To Protecting Your ECommerce Store

If you are running an online store, security is even more crucial because you are dealing with sensitive financial information.

Websites are being hacked as you read this guide.  Norse provides real time threat intelligence on sites being hacked.

Norse Realtime Attacks

As such, you want to be sure to follow these WordPress security best practices to keep that data safe. 

#1 Use a High-Quality Host

We’ve already discussed the importance of having a secure hosting service for your site in general, but you also want to be sure that it can provide comprehensive security for your commerce store as well.

Don’t skimp and choose a cheaper provider that could make your site vulnerable.

#2 Use SSL for Checkout

If you aren’t encrypting your checkout service, then you’re opening up your customers to attack.

Wordpress Ssl

Some hosts provide SSL certificates, but you may have to seek them out and implement them yourself.

SSL Certificates In LiquidWeb Cpanel

SSL Certificate In Cpanel

Install SSL Certificate

#3 Don’t Keep Sensitive Data

One of the easiest ways to prevent hackers from stealing anything is to not have anything valuable in the first place.

Rather than store credit card numbers online, use a system that trashes them as soon as the transaction goes through.

This will put a lot less pressure on you and won’t compromise your customers if you are attacked.

#4 Require Additional Verification

Overall, the more steps that your users have to take to make a transaction, the more secure it will be.

Just like having two-step authentication for your site, you should have the same for your customers.

(Paypal 2 Step Verification)

Paypal 2 Step Notification

 

Requiring an address and a CVV number will create extra protection.

#5 Don’t Allow Users to Have Weak Passwords

If your site has members who can log in via password, then you want to take the time to require something strong.

Change WordPress Password

This way, even if your customers aren’t following best practices, you are helping them by forcing them to create a better password.

Utilize a system that requires a certain length, as well as numbers and special symbols.

#6 Set up Alerts for Suspicious Activity

If a single credit card is being used for a variety of purchases on various IP addresses, then it’s probably been hacked.

As an administrator, it’s up to you to verify the validity of a card member to ensure that you aren’t engaging in fraudulent activity.

This will also protect you as you don’t have to worry about losing money when the customer seeks damages.

#7 Train Staff to Be Vigilant

If you have anyone handling sensitive information, even just temporarily, he or she should be trained on how to properly store or dispose of that data once it’s been used.

For example, if a customer gives you a credit card number over the phone, make sure that the person recording it does not keep a copy of it.

Also, don’t assume that employees know what to do, either, as that can lead to security compromises.

#8 Use Tracking Numbers When Possible

If you ship products to customers, then you want to enable tracking notifications so that you and they know when the package has been delivered and accepted.

This will not only provide better service to the customer, but it will offer another layer of protection, especially in the event of theft.

#9 Consider a Fraud Management Service

Sometimes you can rely on a third-party company to handle fraud claims and issues.

This adds a layer of protection for you and the customer as it ensures that you don’t accidentally make things worse.

The cost of such services can be pricey, so only consider them if you have had such issues in the past.

In the end, if you want to keep your customers safe, then you have to be proactive about it.

Even if it seems like you’re making extra work for your users, it’s far better to do it this way than to deal with the aftermath of an attack. 

CHAPTER NINE:
Backing Your Site Up

I’ve talked a little bit about the importance of having backups for all of your data, but the fact is that you need to be doing it on a constant basis.

This way, if something should happen, you won’t be set back significantly.

Chapter 9 Backing Your Site Up

How Often Should You Back Up?

To make sure that you are as up to date as possible, you should back your system up before every update as well as every couple of days.

This way you can get back on track immediately after an attack with minimal delays.

How Can You Back Your Site Up?

There are several ways to do this.

First, you can backup your files on a separate hard drive by yourself.

Second, you can utilize remote servers that are offered by a third-party service.

Sometimes your web host will offer free backups, or you can sign up for a backup services that will do it for you.

In some cases, it’s better to do both so that you have a backup for your backup, just in case either one of you is compromised.

Backup Plugins

As with everything else on WordPress, you can automate this process by using backup plugins to your advantage.

Here are five that I highly recommend.

#1 BackupBuddy

This plugin not only keeps your databases up to date but it will save your installation files so that you can make a full recovery if necessary.

Backupbuddy Download

It also makes the process easy by having a button on your dashboard so that you simply click and watch it work. 

#2 VaultPress

If you have this as a security plugin, then it will be providing automatic backups as well.

VaultPress

It backs up everything from comments and blog posts to all of your databases.

Best of all, it uses secure remote servers so that you can recover from anywhere. 

#3 UpdraftPlus

If you like the idea of backing up into the cloud, this is a plugin that will do just that.

UpdraftPlus Backup Plugin

With over a million installs, it’s safe to say that it’s both popular and reliable.

UpdraftPlus Storage Options:

UpdraftPlus Storage Options

#4 BackWPUp

You can either get the free or the pro version, but I highly recommend going pro.

BackWPUp Plugin

This plugin has over four million downloads, and it will save your installation files as well for a full recovery.

It syncs with a third-party service like Dropbox to keep your data secure.

#5 WP-DB-Backup

This is probably the most basic plugin you can find, and it simply manages your databases for you.

WP DB Backup Plugin

However, it is much better than having nothing. 

CHAPTER TEN:
What If I’m Hacked?

No matter how careful you are, sometimes you can still be a victim of a cyber attack.

If that does happen, the important thing to remember is that it can be fixed and reversed, so don’t start panicking yet.

Hopefully, you will have systems in place to recover quickly, but even if you don’t, you shouldn’t let despair set in. 

Chapter 10 What If I’m Hacked

Identify the Scope of the Attack

Yes, it can happen to you.

You go to your website and you see the following when you browse to your website:

How To Fix Malware Infected Website

Did the attack originate from your local network, or did it come from somewhere else?

Which files were compromised as a result?

Before you can attempt to recover, it’s imperative that you figure out how bad it is so that you can be sure that you remove the threat entirely.

Fixing the Problem

Whether it’s something as simple as updating your software or making a full recovery, make sure that you fix everything that went wrong.

If necessary, reach out to a professional cleanup service so that they can guarantee that you are malware free. 

Here is a list of online services to remove malware and clean hacked websites:

Take Action - Change All Login Information

Regardless of where it originated, you will be much better off if you do a complete overhaul of your login credentials.

Change WordPress Password

Change all usernames and passwords and be extra careful of who gets access to what. 

Start Rebuild Your Reputation

Visitors will be wary of your site after an attack, so it’s important that you address the issue head on.

Let people know the extent of the damage (especially if customer information was threatened) and that you are taking steps to repair it.

Overall, the best thing you can do is continue to harden your security systems and work to prevent the same thing from happening again. 

Follow Security Best Practices in the Future

Again, no matter how careful you are, sometimes hacks still happen.

That doesn’t mean that you should change course or try something different.

Stick with proven methods of WordPress protection and harden your site as much as possible. 

CHAPTER ELEVEN:
WordPress Security Checklist

Before I go, I want to leave you with a comprehensive checklist so that you won’t forget to utilize any or all of these tools.

Since online security is an ongoing mission, be sure to update your systems as much as possible and adapt as needed.

Chapter 11 WordPress Security Checklist

While we could offer a complete list here, the fact is that there are plenty of examples already online.

Here are our top choices. 

WordPress Security Checklist

WordFence Security Checklist

WP Common Security Checklist

This is actually a plugin that will make sure that when you cross something off that it has been taken care of on your site.

This will ensure that your list is integrated to your actions.

WordPress Security Best Practices Resources

While this guide is going to be your best place to find out what you can do to keep your site safe, there are other resources out there that you should look at to get a more comprehensive view of the situation.

Hardening WordPress

Overview of WordPress

Overview of Brute Force Attacks

WordPress Security Tips

In the end, the safety of your site is in your hands, so be sure to take the responsibility seriously and don’t neglect your duties as an administrator. As long as you follow these steps, your site should be well protected.

Give Us Your Feedback

You have read the complete guide.
Now its time to take action.

But before you do, leave a comment to let me know what you are going to implement first.

Leave a Comment