[ad_1]
The company I work at makes cybersecurity hardware and we are launching a new WordPress site in about 6 weeks.
I have been tasked with finding out what are the best ways to safeguard the new site against all possible cyber threats.
What plugins, configurations and any other details would you recommend to do an absolute overkill for securing a wp site? TIA
The best way is really to not rely on plugins. If you need them, pick big and well-known plugins with many installs and active development.
Other than that, there are some plugins like Wordfence, and iThemes security you can check out. They both have checklists of common fixes, and can do periodic scans of files.
You should also keep sites on a host where that doesn’t share privilege, so a hacked site on the same host/Linux user can’t affect your site. Ideally a dedicated host, or a cloud host with security implemented.
WordPress itself, and its code, is really pretty secure.
>against all possible cyber threats
Literally impossible unless your site can only be viewed and used in a closed room with no internet access, windows or doors.
Your best defense against MOST security threats are your standard Security protocols…
* Don’t install random plugins/themes
* Don’t copy and paste code from un-trusted sources
* Use a strong password and make sure your user isn’t named Admin
* Disable [xmlrpc.php])
* Change your WordPress Login Page
* Stay on top of WordPress, Plugin and Theme updates
* Use WordFence to monitor potential vulnerabilities
* If your hosting provider allows it, block IP ranges from countries you have no intention of doing business with (EX: China, Russia, Iran, etc.) This will significantly reduce the amount of probing that occurs
* If running a VPS or dedicated server, ensure you have fail2ban enabled
There’s probably a few others i’m missing, but this is the general gist.
I recommend Wordfence for a plugin. Looks like others in the comments haven given a lot of helpful info too.
Wordfence, Sucuri, CloudFlare DNS with their paid security add-ons.
Try MalCare – Lightest and Dependable WordPress Security plugin
With WordPress.org or .com? What theme?
I see recommendations for application-level firewalls like Wordfence. I think there’s a place for them but I also tjink that at least to some extent they are wrong tool doing the right thing.
Look at modules for your webserver that filter http. Apache has modsecurity, which has a ruleset for WordPress.
Modsecurity is not plug-and-play.
It needs to be learnt, configured and tested.
Sign up for the newsletters of the vendors for every plugin you use. They’ll notify you of any security issues. Reputable vendors generally roll out fixes very quickly – most often before exploits are seen in the wild.
Don’t build forms yourself.
The most popular form builder plugins for WordPress using the safety measures offered by the WordPress api’s.
That stuff is tedious to code for yourself. And tedium can result in overlooking important things. So use something like gravity or wpforms and let them take care of that stuff for you.
Of course you shouldnt simply trust those vendors: you are a security firm. So get your colleagues to test any forms you use.
Harden your host. harden your http server. Secure your db server.
I don’t know which host, os or http server you using, but
there are some good guides for this for LAMP or whatever you are using.
But if you are working for a security firm, and you aren’t an expert sysadmin then you should contract configuration/admin’ing to an expert anyway. It could be costly but no cybersecurity firm wants to be embarrassed by having their online shit owned.
Keep your os updated.
Keep you server isolated.
Maybe use a virtual appliance for you web server.
Along with the rest, don’t forget 2FA
change the admin login from wp-admin to something else
Hello Adam here, WordPress site designer/developer/security expert
I have worked on a do your self WordPress security guide for a client that I think solves all your problems at once
Below is a sample to it
This is the sample the complete version has 113 pages
Send me a pm if you want to talk further
Cheers
Ps: the pdf has two methods, one with plugins and just code and cpanel
Securing WordPress is the same as securing any other Internet-facing application. If you work at a company that creates cybersecurity hardware, and isn’t comfortable with the basic concepts around securing Internet-facing applications… I’m not really sure what else to tell you? Maybe a good idea at this point would be for you to let the group know what company it is, so the security professionals in the room can make appropriate decisions accordingly.
Cloudflare + Wordfence.
Don’t even use recaptcha on my forms with these 2, lol. Googles recapcha was the only reason my pagespeed insights was failing v0v 160kb JS file that isn’t cached, thx google seemsgood. Now if only I didn’t need analytics I would get rid of their shit gtag script.
It depends on what you’re trying to secure.
Assuming there’s no sensitive data stored on the site, your number one task is to have the ability to restore your site from backup, and have daily (minimum) backups taken. WPEngine is a good hosting platform for this.
After that, you do all the other things people have listed in this post.
You can’t. It’s impossible
Switch to Joomla or some other framework.
WordPress was designed to be a blog framework … 20 years ago.
It’s been bastardized repeatedly over the years to handle the plugins – but it’s never been secure.
I’ve had easily 200 clients over the years which got hacked. I fixed the sites but…
Impossible to stop the hackers.
I should note that I was a NetSec expert / consultant for 12 years and that I’ve been building web sites since 1994.
I think WordPress is already secure, but themes and plugins possibly not.