Factual WordPress Security Checklist (Boost Security by 10X times)

by
on January 19, 2017

WordPress the most popular CMS, the WordPress security concern is also increasing. To make the WordPress more secure regular updates are released to improve the security and fixing the bugs.

WordPress security is not a single factor it includes various factors in it. In this post, we are going to see how to improve the WordPress security and also the security factors you need to check regularly in WordPress websites.

Reader's Benefit:Value added benefit to WP Team Support readers. Free PDF download Factual WordPress Security Checklist (Boost Security by 10X times)

wordpress-security-checklist

Experts

Easy One Click Solution: Give your WordPress website an iron clad protection improve both onsite and serverside security. Buy Website Realted Security Service

WordPress Security Checklist

General WordPress Security check

There are some factors you can check in day to day activity to improve not only WordPress security but you can also use it in other internet areas.

Use the Latest versions

As said before WordPress releases regular updates fixing the bugs and improve the performance and the security. The list of updates and the version details are given in its security archive page.

It is important to update the latest subversions like 4.7.1, 3.8.2 like that, because these has the fixes for the bugs in the main versions.

Recommended Reading: Professional WordPress Checklist to Make Successful Website Launch

It is very important to update the latest main versions 3.0, 4.0, 4.5 because these have both security and performance updates. Before updating to the main version make a compatibility check to avoid the plugin functionality clashes.

Back Up

Always keep a regular backup of your website. Make sure the integrity of the backup, it should have the details and files to bring back your website to the current condition.

Authentic Sources

There are many plugins out there to help you with the WordPress. When you install a WordPress plugin, it has access to your WordPress files, directories, and database. Only download the plugins from the trusted and authentic sources. Use the WordPress plugin directory to find the plugin you need.

Use Strong Password

Try to make a complex, long, and unique password. It is recommended to use a password generator for all passwords.

Pro Tip:Strong Password Generator

Server side WordPress Security

The web server that is running your WordPress website and software is required to be safe and secure. Be careful on choosing the hosting for your website. Some of the precautions you have to check on the server side for WordPress security are as follows.

FTP / SFTP

File Transfer Protocol or Secure File transfer protocol ensures that the transfer of the files between your machine and the server is protected.

Pro Tip: This code tail -f /location/to/log/file gives you the ability to monitor your raw traffic in real-time at no additional cost (If you have access to SSH to your server)

Security Updates

If you are managing your own server, make sure that you install security updates for your operating system, web server, PHP and any applications.

Pro Tip: If you are on shared hosting and one or more sites on that shared host have been hacked, you may find that your website IP address is blacklisted by spam lists. To check email deliverability problem use mxtoolbox

Manage Web Applications

Try not to install a large number of web applications on a single hosting account. Logical separation of applications into separate accounts with their own access will give a better WordPress security.

Uptime monitoring

Have a track of your server performance. Whenever the server goes down it is a bad sign for your WordPress security.

Pro Tip:Use services like UptimeRobot and Pingdom to monitor website availability.

Secure WordPress hosting

There are some WordPress security measures that has to be bought from the server providers. Some of the additional features may be advanced, but regarding the security features, it is always good to use the advanced features to improve your WordPress security.

Use DDoS mitigation services

Distributed denial of service (DDoS) attacks means your website bandwidth is completely filled with the malicious bots and starts to reject your website traffic. The server gets overwhelmed and starts to reject all visitors. Enable it with your hosting service providers.

Set up SSL for the website

Secure Socket Layer, it is also given by your hosting provider it keeps the communication between the user devices and your server secured.

Database security

Managing the database security is another important factor in the WordPress security process. Since WordPress is a CMS you have to manage a huge amount of data and file access.

Maintain a Separate Database

Multisite is a WordPress feature which allows users to create a network of sites on a single WordPress installation. If you are running it all on the same server it is wise to manage these sites in a separate database.

Two Step Authentication

Consider adding two-step authentication for a better WordPress security while logging in.

Pro Tip:Managing different database for the multisite can be done easily at the time of WordPress installation. Clef WordPress plugin helps you activate the 2FA security easily.

Limit Login Attempts

Reduce the number of people who have administrative access to your WordPress site to a minimum. You should also reduce the number of possible entry points to a minimum.

File access control

The default file permission should be
755 for folders
644 for files
There are number ways to accomplish this permissions. However, these are the default recommendations.

Pro Tip:Use the following command to change permissions

For files – find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

For folders – find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;


Password to WP-Admin

Adding server-side password protection to wp-admin gives an additional WordPress Security around your blog’s admin area, the login screen, and your files. This also prevents the normal users from accessing your wp-admin file.

File Integrity Monitoring

Monitoring file changes is a proactive form of WordPress security. It notifies on an intrusion to your WordPress files. There are plugins to help you with this the most popular file integrity monitoring WordPress plugin is WordFence.

Pro Tip: WP-Config.php

If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:

<files wp-config.php>

order allow,deny

deny from all

</files>

Disable File Editing

Disabling file editing within the WordPress is recommended and important for the WordPress security. Use the following line at the end of the wp-config.php file

## Disable Editing in Dashboard
define(‘DISALLOW_FILE_EDIT’, true);

Website Firewall

Website firewall prevents and notifies external attack and malicious login attempts that try to weaken your website. You can use End-Point firewalls or Cloud- Based firewall. The Cloud- Based firewall is the most recommended since it also acts as a CDN and offers distributed network around the globe.

Continuous Monitoring

Use tools and services that help you monitor your WordPress security. 24/7 you cannot continuously monitor your website manually, hence you need a security plugin or WordPress service provider help.

Free WordPress Vulnerability Scanners

There are a lot of services out there to help you check the WordPress website security. You can use your website URL or the server file location to check the vulnerability. You can use these vulnerability scanners VirusTotal and Site check by Sucuri.

WordPress Security Plugins

These WordPress plugins will help you improve the WordPress security.

WordFence

WordFence plugin blocks the bruteforce attack and can add two-factor authentication via SMS. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It scans your hosting for known backdoors including C99, R57, and others. If it finds anything fishy, you will instantly get an email notification.

BulletProof Security

BulletProof Security limits failed login attempts, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes, and plugins. In a case of any known infection, it notifies the admin. It also optimizes the performance of your website by adding caching. This plugin keeps itself updated with new vulnerabilities to keep your website protected. It keeps on updating it according to new exploits and vulnerabilities. Therefore, your website is safe against new attacks in the future.

Sucuri Security

Sucuri Security protects your website from DOS attack, Zero Day Disclosure Patches, brute force attacks and other scanner attacks. It also keeps a log of all activities and keeps these logs safe in the Sucuri cloud. So, if an attacker is able to bypass the security controls, your security logs will be safe within Sucuri’s security operations center.

WordPress Security Vulnerabilities and Facts

The most exploited parts of WordPress are Themes and plugins. These become the number one priority for the hackers to get into your WordPress website.

These vulnerabilities are a normal part of software development. Developers address this by releasing updates, so make yourself sure that you are up to date.

Recommended Reading: Insider’s Only Known: 22 Unbelievable WordPress Stats You Never Heard of Before

Some of the interesting WordPress Security related results from Sucuri’s 2016’s annual report

  • Out of the 11,000 + infected websites analyzed, 75% of them were on the WordPress platform and over 50% of those websites were out of date.

  • The impacts to the WordPress stems from vulnerability exploitation attempts against vulnerability software, specifically in plugins.

WordPress Security with WPTS

Having a secure website is every website owner’s expectation. Make your expectations come true with WPTS. You get 24/7 security monitoring, spam and revision cleaning in the starting plan itself at just $29.

If you just want to recover your hacked site or need to have a diagnosis report about your WordPress website security or need to set up security plugins you get all the WordPress Security supports. Just use our Support Credits the smartest and economical way to have Smart WordPress website.

Wrapping UP

There are a lot more ways to improve the WordPress security. Above mentioned ways are the most commonly used and preferred ways.

“Security is not an absolute, it’s a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It’s about employing the appropriate security controls that best help address the risks and threats as they pertain to your website.”

-wp codex

If you have other things to add this to this checklist share with us in the comment section below.

Have a secure & safe website!!

Ansif

Ansif is the co-founder and CTO of WP Team Support (WPTS), With his thirst towards web development from the very beginning of his college days he started helping his brother in developing websites and entered in Cyberspace Builder full fledged from 2013.

WordPress SupportAnd Maintenance Services
  • Bill Parlaman

    “ Really great to work with. Listens to my issues and works hard until they get it done perfectly. ”

  • Alex Petrou

    “ Always a pleasure working with WPTS. Their work is fantastic and timely. Maintain our website regularly. ”

  • Thomas Carlson

    “ WP Team Support was very responsive and Increased my website efficiency by 53%. ”

Get Started Now
Feature

Support teams across the world

Feature

Safe & Secure online payment