Securing WordPress Basics
I’ve had several inquiries about some of the recent data scrapes, and how to avoid being scraped.
From Wikipedia:
WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes. WordPress was originally created as a blog-publishing system but has evolved to support other web content types including more traditional mailing lists and forums, media galleries, membership sites, learning management systems (LMS) and online stores.
TAKE A BACKUP OF YOUR SYSTEM NOW!!!
The Basics:
- Update your OS.
- Keep WordPress updated.
- Set WordPress Plugins to auto-update.
- WordPress.org Configure Automatic Updates
- Remove unused / deactivated plugins.
- Enable auto-update to themes
- WordPress.org Configure Automatic Updates
- Remove unused themes
- Maintain Backups of both file system and Database.
- Enforce Strong Passwords for privileged accounts.
- Word “Chains” are favored over “Complex” passwords.
- WordChain – This$Table#Has@A!ChairandBook
- Complex – c0Mp13X$p@55#0rd!
- Use a password manager to create and store passwords.
- Use a Security Plugin to require strong passwords.
- Word “Chains” are favored over “Complex” passwords.
- Use 2fa for privileged accounts.
- Use a Security Plugin to provide/require 2fa.
- Configure https/ssl transport.
- Install a WordPress Security Plugin.
- Search the WordPress Plugin Repository
- Use a Plugin that is widely installed.
- Use the help screens and plugin home page to configure.
- Enable Brute force lockouts.
- Enable WAF functionality.
- Whitelist your IP address.
- Use one of the Online WordPress scanners.
- Google WordPress Scanner.
These are the easy and basic things to secure your website, which ends the “self-service” portion of this missive.
