Hello, Hackers! Best Practices for WordPress Security

When talking about WordPress security, it feels like we’re left with 2 choices, devastating paranoia or ignorant bliss.

With all the news of our personal information, usernames, passwords, and identities getting jacked and sold on the dark web, the topic of web security to a noobie sounds impossible.

But after falling hard into the deep end of web security, I’ve discovered some “not-so-common-sense” WordPress security best practices and pro tips (literally I talked to a pro) to help put your heart at ease. We’ll look at free tools and how to implement them on your websites and in your life.

Maybe reality isn’t as depressing as we all fear.

WordPress Security For Dumb-Dumbs…Like Me

In episode 3 of Hello, WP!, “Hello, Hackers!”, we took on the complexity of security in and around WordPress.

If you haven’t listened to Hello, WP! yet, On the show we take on different topics by calling on the pros…kinda like your favorite true crime podcasts, but minus the crime.

Anyway, for our Security episode, previous SiteLock employee (now GoDaddy employee), Adam Warner, joined me and shared 7 security best practices that I found extremely valuable. Adam and I had a much longer conversation than I could fit in the show, so I’m bringing it here, with links, practical recommendations, and tips.

Quick sidenote: outside of our podcast, Adam has done talks at several different WordCamps about these best practices. If you’re interested in hearing more from him, here’s a session he did at WordCamp Portland 2018.

So what do you say? Let’s jump in with best practice #1.

1. Backups

Backups allow you to travel back to your site’s golden days if it ever experiences a breach *tosses salt over his left shoulder*. There are a whole lot of great tools out there to help you get the job done, but there’s one especially important feature to look out for – off-site storage. Saving your backup files on a different server than your site will prevent the backups from being compromised in the event of a hack-attack.

Depending on your budget, there are several free and paid plugins that make manually or automatically backing up your site very simple. Updraft Plus has a free version of there plugin that allows you to connect a Dropbox or Google Drive folder.

Or, if you’re already a WPMU DEV member, Snapshot Pro has all the backup bells and whistles you need. Including 10GB of remote cloud storage (OOooO)!

2. Updates

Keeping with the times and running updates on themes, plugins, and WordPress core plays a pivotal role in maintaining your site’s security. Sure, some updates only fix bugs or improve performance, but others patch security vulnerabilities. THIS is why using well-maintained products is so important because if a plugin sits untouched for too long it becomes more susceptible to intruders.

If you’re just running a site or two, like me, then logging into the WordPress admin and clicking “Update Plugins” isn’t too much of a hassle. It becomes more problematic when you have a lot of sites to look after. If that’s you, it might be time to consider a site management hub.

3. Strong passwords

I’m a “keep it simple, stupid” kinda guy, and the whole “strong” and “unique” passwords thing really throws a wrench in that. These days, our browsers and even WordPress make strong password suggestions. That’s cool and all, but with all the accounts we have across emails, social media, and WordPress, the greater battle is remembering all of those strong and unique logins.

Thankfully, there are a bunch of password managers out there that allow me to maintain my KISS lifestyle. LastPass has a free and paid version. 1Password starts at $2.99. Both of these password managers can store, generate, and paste your powerful passwords on demand. All you have to remember is ONE “master password”.

4. Firewalls and Content Delivery Networks (CDNs)

Okay, when it comes to Firewalls, I can’t/won’t suggest any free options (sorryboutit). Here’s why:

There are two types of firewalls, network firewalls, and web application firewalls (WAFs). Network firewalls happen on a hosting level, and quality hosting costs money!

If you listened to the episode of “Hello, WP!” that inspired this blog post, then you know that we aren’t (or at least our CTO isn’t) big fans of having WAFs in plugins. Firewalls stand between your site and its users by overseeing incoming and outgoing traffic…kinda like a fence around a house. Putting a firewall in a plugin is like putting a fence inside your house…and who does that? So for that reason, we don’t include a firewall in our security plugin, Defender.

Instead, we encourage the use of services like Cloudflare. Cloudflare offers a paid WAF service that is constantly updated and monitored.

Cloudflare WAF service landing page
For real protection use a server-side WAF like Cloudflare.

5. Monitoring

In some way, shape, or form monitoring is included in every one of these best practices. For example, you gotta monitor your website in order to keep up with updates, the internet must be monitored to maintain a strong firewall, and you use your strong and unique passwords in order to monitor your websites.

Monitoring is key to running a tight ship, but if you’re like me and know very little about code, or even if you’re not like me and are a coding wiz, running regular security scans help us tie up the loose ends, and alert us when things are running amuck. Our free security plugin, Defender, can run automatic malware scans, make security suggestions, checks code, and much more. Oh yeah…and he’s free (incase you missed that)!

You can also use a free site scanner like WP Checkup for a complete site diagnostic or Sucuri’s free malware/security specific scanner to find issues and stay ahead of vulnerabilities.

6. Two-Factor Authentication or 2FA

Defender 2-step verification Google integration
Use Defender to quickly setup Google’s 2-Step Verification on any WordPress site.

This probably goes without saying, but 2FA is when you verify an account by receiving a special number by call, text, or the like. Google is the master of 2FA. So I’ll keep this simple, you can enable two-factor authentication for free on your WordPress site with our luchador friend mentioned above, Defender, or with a slew of other great plugins like Google Authenticator.

7. VPN or Virtual Private Networks

Prior to speaking with Adam, I had never heard of a VPN. But as one of those coffee-shop-dwelling hipsters and remote WordPress-ers…I should have been using one a long time ago! A VPN encrypts your data before the internet provider gets it.

Without a VPN, a tech-savvy person with loose morals could hop on the same open wifi network as you, see what you’re up to, and even access personal information. In recent years, internet browsers have begun to block non-private networks. If you browse with Google Chrome, you might be familiar with their block message that says, “Attackers might be trying to steal your information from [domain] (for example, passwords, messages, or credit cards).”

If you’re interested in implementing a VPN, TunnelBear has a FREE plan available. Not to mention…they also just have fun branding!

If you’re able to stay within the parameters of TunnelBear’s free plan, go for it! But in most cases, using a free VPN is *not* a good idea. One study, done by Top10VPN.comhas shown that many of them “featured questionable permissions or functions buried in their source code that could potentially be used to spy on users.”

The Seven Wonders of Internet Security

In a way, engaging in internet security best practices are ways of following the golden rule. Create safe and secure websites for your users, because you want a safe a secure world wide web!

If this gets you excited, checkout our Ultimate Guide to Security and don’t miss a thing with our 32-point WordPress security checklist.

Finally, take your WordPress security to the next level with 30-days of our premium security, backups, hosting and performance optimization free. If your site’s already been hacked we’ll help you clean it up.

Micah Dailey
Got any other tips? Tell us how you protect yourself on the web in the comments bellow. And don't forget to visit hellowp.world and listen to our podcast.