Security is only as good as the weakest link in the chain. Good security is achieved through both using the right tools and following the right procedures which means taking a suspicious view of others online and minimizing exposure to risk. The internet can be a dangerous place so you must be alert to the risks.
WordPress Site Security
A typical site should have most of the following security measures in place:
- Brute Force Login Protection – this can be implemented through a security plugin such as WordFence, or the Protect module in JetPack, or by rules in .htaccess, or by moving the location of the wp-login.php to another URL, or by using a Web Application Firewall such as Cloudfare or Incapsula
- Strong database names, database user names an database passwords – set manually during installation
- Strong WordPress admin username and passwords – set manually during installation and new user creation
- Hide WordPress username – make user_login different from user_nicename (the author slug) either using phpMyAdmin or using Genesis Club Pro
- Hide login error messages – this can be done in a security plugin such as WordFence
- Change database prefix from wp_ to something else – this can be done by during the WordPress installation
- Injection Blocking – The apache mod_security module and additional htaccess rules can be set up to detect and block URL querystrings with embedded commands. Most security plugins will also do some scanning of the querystrings for malicious content
- Referrer Spam Blocking – add some checks to your .htaccess to block referrer spam which can otherwise flood your analytics
- Form Spam Blocking – use a human captcha, an invisible machine captcha or a honeytrap to able to block robots filling in your form. Plugins such as JetPack, Contact 7 and Gravity Forms are recommended
- Comment Spam Blocking – JetPack Comments and Akismet provide blocking of spam. Or you can use Antispam Bee. You can also add rules in .htaccess that block any comments that do not originate from comment forms on your site
- Intrusion Detection – as important (and arguably more important) than protection is detection. You will want to know as soon as possible that you site has been compromised so you can take action to recover and repair your site. Typically a security plugin such as WordFence is used to scan the files for unauthorized changes and alert you to any anomalies
- WordPress Security Updates – it is important to keep WordPress up to date as security holes are made public to everyone, and this includes hackers. It is important to enable automatic WordPress updates for WordPress core files. You can also use plugins such as MainWP to keep plugin and themes up to date.
General Security Precautions
You may have your site locked down as described above but if you do not look after your passwords and email then all your good work on the site security may be compromised.
Many business people have lost thousands of dollars and been blackmailed when their email account has been taken over by a hacker. The hacker may have just gained access to your passwords, your personal data and your contacts. They can then start transferring your domains to other legal entities outside your country. It is horrible situation. Recovery can take weeks, be expensive and be very disruptive to your business.
- Email Security – use 2 factor security for your Googlemail and other email accounts
- Password Security – use a system such as LastPass to hold your passwords and delete all your emails that contain passwords – you can keep a master password file locally as a backup – I put this on an encrypted file held on a thumb drive – you can also give temporary access to third parties via LastPass without their knowing what the password is.
- File Security – keep all your personal data you want to keep secure on external drives – 1 terabyte of storage costs around $70 – this means if you have to return a laptop to the store for repair then your data cannot be compromised – all you should keep on the internal hard drive is the operating system and the installed programs – nothing you cannot replace
- Drive Organization – I recommended using 5 external drives
- Media Drive – size around 1TB this contains images, video, music and books – this is also backed up to iCloud or OneDrive so it is accessible on from all devices;
- Documents Drive – size around 250GB this personal data is backed up locally and to Amazon S3 in an encrypted format;
- Work Drive – size around 250GB – this contains Client files, Project files, Software download kits this is also backed up locally and to Amazon S3 in an encrypted format
- Current Drive – size is around 16GB – this contains files I use daily – the current project, the security file – this is held on a thumbnail drive which is formatted as FAT32 so I can plug it in to either my MacBook or my desktop PC. The thumbnail is backed up daily.
- Backup Drive(s) – size of 1 TB is required for Time Machine to provide daily backups of my MacBook. On windows I have a backup drive from System Image Backups
- Anti Virus Software – on desktop and laptops use anti-virus software and firewall such as Avast to protect against malicious downloads