In his How to Take Your WordPress Site Security to the Next Level online presentation at the Rochester WordPress Users Meetup, senior software engineer (and my friend) Chris Wiegman, shared practical advice and actionable steps sites owners can take to protect their sites from attackers.
While the focus was on WordPress sites, many tips Chris shared apply to every site on the web.
As well as anyone who uses the web.
What I liked most about Chris’s talk: he didn’t only focus on website protection.
Chris emphasized the importance of making sure your:
- Digital devices
- Operating systems
- Internet Service Provider connection
- Domain name server configuration
- Digital tools you use on your site
You want to protect your data, privacy, and the people who visit your website.
He recommended site owners think beyond only site security and consider all the other ways to improve security.
Here are my takeaways from Chris’s presentation.
How to Take Your WordPress Site Security to the Next Level
- Think of security as three layers: network (Internet traffic before it reaches your site), server (your web host and the technology the web host uses for storing, processing, and displaying your site), and application (what runs on your sites)
- Keep your computer secure: do you have a firewall? Are you using disk encryption?
- If you haven’t already, set up a Virtual Private Netwok (VPN) to encrypt traffic between your computer and services.
- Use unique passwords for every site. Recommendation: use a password manager manage your passwords. And make sure you use two factor authentication (2FA). His recommendation: hardware keys like Yubikey.
- Protect information on your computer/laptop monitor: use a privacy screen. Especially helpful when you’re working in a coffee shop, airport, or at a meetup. Privacy screens are standard size for Macs, but for other laptops/computers, you’ll need to check the size of your monitor.
- Use https, make sure your site is using SSL to encrypt browser’s connection with your site. Most web hosts offer SSL certificates with hosting. Check on the type of SSL certificate offered.
- Upgrade your DNS (domain name server) to protect against cross-site scripting and cross-site request forgery. One option: NextDNS, which prevents your Internet Service Provider from seeing sites you visit and blocks ads.
- In your domain records, increase your TTL (Time to Live) for your domains to 24 hours or more. Which protects someone from
- Detection and recovery are crucial for maintaining a secure site.
- Avoid using FTP (File Transfer Protocol), which passes login credentials unencrypted. Instead use SSH (Secure Shell Protocol) or SFTP (Secure FTP) to encrypt your connection. Depending on your web host, this may be set up automatically for you. Or you may need to request it.
- Stay aware and keep updated on WordPress security issues. Know when plugins, themes, or core WordPress have a problem by subscribing to WP Security Bloggers or the Wordfence blog.
- Review automatic update settings for WordPress and plugins in your site and web host setup
- Plugins like Wordfence, iThemes Security, and Stream can track user actions and identify issues on your site. But don’t rely only on plugins. Review your site performance, content, traffic spikes, user problems regularly.
- Use external tools to watch your site and report problems; they run independently of your site: Jetpack, New Relic, Google Search Console.
- Take regular automated backups of your site. And verify the backups work. (Note: don’t store backups on your site.)
- When/if your site gets hacked, know who to call. (Personal note: I’ve relied on Sucuri in the past.)
Chris graciously posted the link to his presentation slides.
My thanks to the Rochester WordPress Users Group for hosting Chris and providing a livestream of the presentation.