Basic WordPress Security Recommendations to easily secure any WordPress website, without the need for an Experienced WordPress Developer or System Administrator.
Please understand, this is a very basic and dumbed-down approach to WordPress security, for WordPress beginners, based on my personal experiences and preferences. I believe WordPress Security, as far as beginners are concerned, starts in the selection of a WordPress Web Host.
I am currently using Web Synthesis because their architecture is designed to maximize security with proactive monitoring, patching, and constantly evolving innovation.
Web Synthesis makes security a priority.
I use the Genesis Framework because it was built with security in mind and the developers (StudioPress) went to great lengths to make sure WordPress Security Best Practices were followed.
I use child themes as the design layer, leaving the Genesis Framework to handle structure and security. So, when a security issue is discovered, StudioPress can push out Genesis updates without impacting my website’s design.
I always eliminate the default user, limit the number of Administrator accounts, assign users the lowest “site role” as possible and deactivate inactive user accounts (or at the very least, change their “site role” to “subscriber” or “no role”).
If you want to take this a step further, you may be interested in the WP Security Audit Log – WordPress Plugin, which tracks what a user does, while logged in to your WordPress website.
I use the a Password Policy Manager to enforce Strong Passwords for all user accounts.
I use Authy Two Factor Authentication to provide an additional level of protection, beyond the security of username and password combinations.
Secure Sockets Layer (SSL)
SSL is generally enforced on for the entire website, but always enforced for logged in users.
If you want to read more about WordPress Security I recommend the WordPress Security – Cutting Through The BS article, from Sucuri. This article goes much deeper into the WordPress Security Rabbit Hole, though many of their suggestions may require access to an Experienced WordPress Developer and/or System Administrator.
If you need help with WordPress or your website, contact me over on https://bamajr.com/; my business’ website.
Like I mentioned in my Tony Smieja Patriot Web Tech Scam article, I don’t often ad to my articles, especially so long after it was posted. However, when I feel like making a point, without publishing a new article, I’ll make an exception.
I no longer recommend the use of Sucuri; their WordPress Plugin(s) or any of their services. After the GoDaddy+= Sucuri: Building a Security Platform For Every Website Owner – Sucuri article was published, Sucuri instantly sank to the very bottom of a long line of security plugins.
In the past, I may have used a few GoDaddy services, but I have never been happy with their service. These days, it is my opinion, you have to be scraping the bottom of the barrel to even consider using something with the GoDaddy name on it.
Their platform sucks! Their support sucks! Their technology sucks.
GoDaddy is the hallmark of inefficiency and piss-poor performance.
If GoDaddy has their hands on Sucuri, it automatically sucks by affiliation. Joining GoDaddy is unfortunate news. I still have great respect for the body of knowledge provided by Tony Perez and Daniel Cid. They have contributed much to the WordPress community and I hope they will have a positive impact on GoDaddy. However, as long as their product(s)/service(s) are part of GoDaddy, they will never appear on a system I manage.