WordPress security is top-of-mind in our house. Things are bad, and just getting worse. Be prepared!
This article was originally published on Oct. 20, 2017, and was updated on Sept. 9, 2019.
I’m including some excerpts from this article not because I’m a big fan of Godaddy hosting (I used to be, but not now – though there domain services have been pretty solid), but because of the increasing frequency and intensity of attempted website intrusions that I monitor. Even this morning, some sophisticated attacks were being launched against a few clients of mine.
Fortunately, this client is a subscriber to a website care plan, so not only were we aware of the attempted breach, we had provisions in place to prevent – and if needed – mitigate the intrusion.
Let’s continue with Godaddy’s blog: I’m going filter out some of the more techy stuff, but feel free to visit it in it’s entirety using the link at the end.
As a web designer or developer, why should you care about running a WordPress security scan?
With the growing availability of dedicated solutions, WordPress now makes up 34% percent of the internet. As the most used open-source content management system (CMS), WordPress is also a target for security attacks.
Why is a WordPress security scan so important?
That being said, a regular WordPress security scan is far less work than trying to repair a site after the damage has already been done.
In fact, if you’ve noticed that your site has been compromised, oftentimes it’s easier to recreate the site from scratch than auditing the entire server to determine which backup (if any) is clean of malware.
How to run a WordPress security scan: The checklist
Hold onto your hats because you’re about to receive a checklist on how to generate revenue with an hour of your time!
- Update core files, plugins and themes.
- Remove unused plugins and themes.
- Install an SSL certificate.
- Enforce strong passwords.
- Install a security plugin.
- Use captcha on forms.
- Limit login attempts.
- Turn off file editing.
- Change security keys.
- Secure core files with an .htaccess.
- Disable XML-RPC.
- Audit file permissions.
- Disable PHP error reporting.
- Have a backup plan.
Ready? Let’s dive in!
1. Update core files, plugins and themes
All you have to do is log in to the wp-admin dashboard, hover over the dashboard button on the sidebar, and then in the dropdown menu click Updates. Select the items you want to update — which should be every one listed.
Ken says “Updating some files, plugins & themes can have adverse effects on others – it pays to know which to update, and when. Unless it’s critical, I typically wait a day or so to evaluate feedback from other users, developers and software authors before applying updates”.
2. Remove unused plugins and themes
One of the greatest features of WordPress is its ability to download and run plugins, potentially improving the functionality of your website. That being said, it is possible to have too much of a good thing.
With each plugin installed on your WordPress site, the more likely the site is to be hacked, as new vectors are opened with each installation. It is not enough to simply deactivate plugins that you aren’t using. You actually have to delete them in order to remove the vulnerable code from the server.
Removing unused items is equally important for performance, and should be part of any WordPress security scan. The fewer active plugins, the safer and faster the site will run.
3. Install an SSL certificate
It should be painfully obvious by now that every website should have an SSL certificate.
Ken says “I’m going to recommend you leave this to a professional”. You may very well get the software/hardware part right, but have you considered the impact to your Search Engine Rankings – the simple act of changing http to https changes the entire URL to your website content. I’m guessing a 404 Not Found page is not the experience your visitors are looking for. Better safe than sorry.
4. Enforce strong passwords
The most commonly use passwords in 2019 ranged from 123456 to password — which are painfully obvious, insecure and pretty much guarantee that the account will be accessed by an unauthorized user. According to Symantec, a strong password contains a mixture of at least eight digits, punctuation, and upper- and lowercase characters.
Your WordPress security scan should cover a few obvious things. You should never use the same password twice. It is also important your password doesn’t include words that can be found in a dictionary or a proper noun, as they are especially prone to the appropriately named dictionary attack.
Ken says “Steps 5-14… pretty techy stuff.”.
14. Have a backup plan
Lastly, we have what I feel is the most important yet neglected task involved with a WordPress security scan. When I say backup plan, I mean it. If the worst case scenario becomes a reality and your website becomes a host to malware, you should already have a plan on how you will get the website back.
In most cases, the clients that I have who refuse to regularly back up their sites end up regretting it. Without a clean backup, your hacked site might never be clean again without having to start all over.
Ken says “Preach.”
Closing thoughts on your WordPress security scan
The instructions I provided are by no means a comprehensive list of security tools and methods and will not make your website bulletproof.
Security in technology is an ever-growing field. New methods of protection are being developed constantly.
By reducing avenues of attack and auditing files through a regular WordPress security scan, you can at least stay on top of the game and ensure that if someone is going to attack you, it won’t be easy.
Ken says “Good advice all around – If you don’t yet have a care plan – an insurance policy for your most valuable online asset – get one soon. This stuff isn’t going away.
This content was originally published here.