WordPress Security Checklist

For any website owner, website security is one of the most utmost priority. It can also be part of brand value. Running and maintaining websites security is really critical for both business’s images and data too. As a WordPress Developer I have cemented my years of experience and best practices to get all my client […]

why wordpress is slow

For any website owner, website security is one of the most utmost priority. It can also be part of brand value. Running and maintaining websites security is really critical for both business’s images and data too.

As a WordPress Developer I have cemented my years of experience and best practices to get all my client websites with security best practices. So how do I do it? Or what precautions I take to make sure websites I build are built within solid security in mind.

Here are the top 10 checklists that you can follow to maintain your WordPress website security.

1. Keep your themes, plugins and core updated

Rule #1 for any WordPress website is to keep everything updated. Try to keep minimum with plugins, and install only themes that you are using.

With every update, there are sometimes major security updates. It’s quite critical to stay updated with the latest updates, so that your website won't be exposed to any vulnerabilities.

2. Invest on good website hosting

A good web hosting is your gatekeeper. That's why it’s really important to select your web hosting. Have a good web hosting service, and you can sleep in peace and if you select a dodgy one, your website will be in trouble.

To summarise a good web hosting does the following:

  1. Firewall
  2. DDos mitigations
  3. Free SSL
  4. Latest PHP and MySQL
  5. Regular backups
  6. Easy restore options

3. Invest on good quality theme

Themes built on good quality code are of utmost importance for the security of your website. If your theme has some loopholes in codes, they expose your website and customers data and can be breached.

Invest in a good quality theme. If you have a budget, it's advised to spend on custom themes, as a good WordPress Developer, implements coding best practices and security best practices.

Even if you don’t want to spend on custom themes, there are some really good premium themes that have a proven record for quality. Do some research, test before building the site.

4. Invest on good plugins

Plugins are another important factor of security. There are some really good free plugins in the WordPress repository. Having a good knowledge of plugins is really needed when adding new functionalities to your WordPress website.

For me personally, I am really selective of plugins and my plugin suite is based on years of experience. WHether you are choosing a free plugin or premium plugins, my advise is to do the following:

  1. Read the reviews
  2. See how support responds to your query
  3. Test before installing
  4. Pay for the quality as this will help the plugin developer to maintain and upgrade plugins

5. Protect your wordpress admin

WordPress by default uses /wp-admin/ or wp-login.php for admin dashboards, which is really easy for anyone to guess.

Try to protect your admin dashboard with a unique url so that it isn't easily visible. This can be done by plugins like iTheme Security.

6. Use strong username and password

Using really strong username and password combinations that are hard to guess is critical. Most of the websites that get exposed tend to use simple and easy to guess username and password. This also makes your site vulnerable to bot attacks that are trying to access your website.

7. Limit login attempts

Limiting login attempts are crucial to save your website from exposure when there are bots that are randomly generating usernames and passwords combinations to get into your website admin area.

This is really important to implement to secure your website as well as restricting bots to use your website resources.

8. Use 2 FA to login to your admin dashboard

2 factor authentication must have functionality if you are really serious about your website security. You can have several options such as using pre generated backup codes, email or mobile to get code to access your website admin section.

This makes sure that unwanted access to your website is controlled.

9. Disable XMLRPC

Almost 99% of the time, websites don’t need this functionality to be enabled by default. And this is one of the features that needs to be turned off in case you aren't using it. XMLRPC is used to REST API, which in most of the cases websites don’t use.

10. Have more than 1 form of backups

It’s always too good to have a second backup strategy along with selecting a server that does the backup regularly.

There are several services and plugins that does this job for you.

Conclusion

Having spent more than 5 years as WOrdPress Developer, learning and practing security best practices, I can say WordPress when done with good developer is really a solid framework.

Some of the plugins I recommend and use include:

  1. iTheme Security - httpss://ithemes.com/security/
  2. WordFence httpss://www.wordfence.com/ and
  3. Updraft Plus (for backup) - httpss://updraftplus.com/