TOTALLY kidding!
But I’m ALMOST that dumb. I’m fairly new to wordpress so please keep responses kind and kindergarten-ish.
So my real question is about wordpress security. I built a wordpress site for my small construction company. I’m the only one that logs in to the wp-admin. I have the domain on one host and the website on another.
I am currently using the free version of Malcare plugin for a set-it-and-forget-it kind of security. I have blocked some country IP’s. I update all my plugins as soon as the updates are available (multiple times/week if necessary). I use passwords that are >14 using mixed case and special characters. I back up the site every week.
I don’t know why someone would spend the time to hack in to our little site, but I figure if someone did, I could work with the webhost to restore whatever shit they did to our site.
Am I too naive? Do I need to do more?
In reading some of the posts here I see that some people use wordfence and cloudflare. I’m not sure what those do, and not sure if our site needs either of those. I’d like to keep the security fairly simple for me to manage.
What steps should I take?
​
​
[ad_2]
Sounds like you’re doing all you need to do really. Only thing I’d suggest is using a backup plugin that has the option to run on a schedule (e.g. [Duplicator]), but there are others as well), or check whether your host provides automatic backups (but having your own solution implemented via a plugin can’t hurt).
It’s going to be incredibly unlikely that someone will hack into your site anyway, but the things you’ve done so far are some great ways to keep everything updated and secure. I’d definitely recommend implementing Cloudflare & Wordfence though.
You don’t really need to be updating plugins multiple times per week though, unless one of the updates is a security-related update that’s fixing a major bug. Once per month is probably easier 🙂
For you and your small site the MalCare plugin would be fine since the free version provides login security, a firewall, and bot protection. However, I would look in to 2FA since MalCare only provides that on their premium plan. A 2FA plugin I recommend:
[WP 2FA – Two-factor authentication for WordPress])
Also, you can harden your site further by implementing security headers. I am not sure if MalCare does it.
Edit: Get a backup plugin like [UpdraftPlus]).
The likeliest entry point isn’t someone trying to hack your site in particular. If a plugin is found to have a security issue, hackers scan the web for sites that use this plugin, and then exploit all those they find.
To minimize chances of getting hacked,
– use as few plugins as possible
– update wordpress, the theme and the plugins regularly
Make a backup regularly, so in case you get hacked, you can restore a clean version of the site easily.
Cloudflare does a good job at protecting your website. You can also use it to restrict access to your country traffic only.
Rest you seem to be doing well.
– Strong password
– Username that’s not admin
– Don’t divulge your username in the front-end
– Regular backup (manual or automated)
If you are worried about your site getting hacked, you could have a static version of your website hosted online instead of using the dynamic website.
I’d keep daily backups and wouldn’t worry too much about security if the website doesn’t take any sort of payments or store users data. I’d also be careful about the plugins I use and keep them to a minimum. Just this alone should be enough for most sites. WordPress itself is very secure, and most of the issues happen either due to a plugin/theme vulnerability or due to the owner being tricked using some social engineering technique. In the unlikely case of the site being hacked, you could just restore the latest backup.
Not gonna lie, you had me for a second there…
(I was going to remove this post but I decided to check before I did so)
Always love some funny clickbait on a Saturday in this sub.
I will send you a step by step instructions on securing WordPress, I am still polishing it up. I will share it for free. It has over 70 Pages on how to really secure wordPress, it begins slow and easy and it gets really really complicated and you will need to understand the nature of your plugins and functionality to be able to truly secure your site. But I explain it all in great details.
If you think “people” are the ones hacking your site you are as good as hacked. Get that site on Cloudflare and lock it down!
I work for a managed WordPress host. The vast majority of hacked sites we see are due to weak/compromised admin passwords and it sounds like you’re already aware that you need a strong password.
The only thing I’d suggest you may want to add is forcing 2-factor authentication.