WordPress is an open source project and developed by the community from all over the world. A lot of expert spent their times to make WordPress as secure as possible. But I’m not in the position to say that it has bulletproof for security vulnerability. You can see there are couple security has been reported fixed and disclosed in WordPress hackerone. You can report any security issue too, if it is valid, you’ll get bounty!
With that said, I would like to share couple best practices I did to hardened my WordPress site.
Add https to your WordPress site
You must have https for your site. Now SSL certificate is free, and easy to install. And if you are on share hosting, ask your hosting provider to add the free SSL certificate for you.
I’m on Vultr vps, and I’m using this guide to add Let’s encrypt SSL certificate for this blog: Install Let’s Encrypt SSL on One-Click WordPress App.
If You are on share hosting with cPanel, it has AutoSSL feature enabled by default (should be). All you need is open a ticket to your hosting provider support and ask them to enable SSL for your domains.
Or You can use free SSL from Cloudflare. Open an account in Cloudflare, and follow their instruction to move your Nameserver and DNS over to Cloudflare. And from your WordPress admin, install Cloudflare plugin and activate the SSL feature.
Enable 2 Step Authentication For Your Admin Login
Enable WordPress.com sign in from Jetpack security setting page. Then also enable Require two-step authentication. You need to follow the setup instruction to enable that.
Always Code Review a Plugin/Themes Before Install or Update
Most of the WordPress hacked is from plugin vulnerability. So every time I want to install a plugin these are what I always do to vetting it:
- Always get the plugin from the trusted source
- Read the plugin review
- Check the plugin in WPScan Vulnerability Database
- Open the source code and do code review based on WordPress Coding Standard and 10up Engineering Best Practices.
- Testing it in local environment/staging
- So from the vetting process
If the plugin is poorly written and against the coding standard and best practices, I rather not install that plugin and find something else. But if I really need that plugin, then what I always do is patch the code and remove the high risk code then install it. Sometimes I also email the plugin owner my patch so they can fix their product.
Keep Your WordPress Up To Date
By default WordPress has auto update if there is a security release. But just in case You haven’t update your WordPress, always keep your WordPress to latest release.
Daily Maintain Your Website
Check your website daily, use it, write contents. Most WordPress sites get hacked also because it’s being abandoned.
That’s all I can share today, I hope it’s useful for You. Remember your sites is as secure as you care.