Setting up Site Security

STEP 1: CHOOSE A GOOD WORDPRESS HOSTING PROVIDER TO ENSURE THAT YOU HAVE GOOD ACCOUNT ISOLATION.

Setting up website security is the first thing I do. I then make sure that I’m using a reputable host. Because it’s very important that you have isolation between accounts on a shared hosting provider. If a host doesn’t provide good isolation between accounts, what that means is if an attacker compromises one account on a shared server they can also access other accounts on that same server and you get cross-contamination. When you choose a hosting provider, it is important that they know how to configure their permissions on their servers so that you don’t have cross-contamination if one of the accounts gets hacked on that server.

It’s very rare to see a hosting provider that does not have good processes of setting up website security. It’s crucial to have accounts isolated, but we do see it about every couple of months. It’s usually newer hosting providers and smaller hosting providers as well. But that doesn’t mean you shouldn’t choose a small host. There a lot of great small hosting providers out there. You have to make sure that they’ve been in business for a little while and ironed out all the bugs. Whilst also making sure that they have a good reputation.

STEP 2: INSTALL THE NEWEST VERSIONS OF WORDPRESS CORE, THEMES AND PLUGINS YOU NEED. 

The next step in setting up website security is to install the newest WordPress core. You always want to choose the newest version of WordPress core when you’re installing WordPress. The older versions of WordPress have known vulnerabilities, and if you install an older version there is a greater chance it will get hacked because attackers will exploit those vulnerabilities. So always install the newest version of core available at wordpress.org.

Of course, you then need to install your plugins and your themes. You’ll usually just have one theme and you’ll have multiple plugins, let’s say 5 plugins. Always get those plugins and your theme from a reputable source. Get them from wordpress.org or your plugins and your themes from a good reputable commercial provider because there’s something called a nulled plugin or a nulled theme. This is when an attacker downloads a reputable plug-in, put their own malicious code in it, and then they throw it up on their own website which looks like a legitimate site but actually it’s not. When you download the plug-in from there you are getting hacked code, resulting in your system becoming compromised, and you’ve got a real mess on your hands. So make sure that you get your plugins and your themes from a reputable source.

STEP 3: KEEP EVERYTHING UPDATED. THAT INCLUDES WORDPRESS CORE, YOUR PLUGINS AND, YOUR THEMES.

Then, of course, you have to keep everything up to date. Security is not a single event, and you don’t go in and just secure a website or a system, you actually have to have a routine, let’s say a weekly routine.  Every few days or every week go in and make sure that everything is up-to-date, that everything’s secure even if you’ve got security systems installed, of course, it can send you emails letting you know you’ve got a theme or a plugin that’s out of date, or a core that needs updating. It can also send you all sorts of other helpful alerts related to security. So make sure you keep an eye on those alerts and actually respond to them accordingly.

STEP 4: WHEN SETTING UP WEBSITE SECURITY REMEMBER TO USE STRONG PASSWORDS AND DON’T REUSE THEM.

The next step in setting up website security is setting up minimum viable security where you need strong passwords. That means that your passwords need to be complex. If you’re setting up an administrator account on WordPress, we recommend that you have a password length of at least 12 characters and that you choose from lowercase letters, uppercase letters, numbers, and symbols. That way you’ll have a password that’s complex enough making it very difficult for an attacker to crack your password if they happen to download the hash of your password plus remember that in every CMS Website Security Matters.

Set unique passwords

Also, use unique passwords across all of the services that you use. The reason you should do this is that if one of those systems gets compromised, the first thing the attacker does is download the user accounts from the database. The attacker will try to use those accounts to log into other services and compromise those too. So use unique passwords across all of the services that you use.

I know that’s a lot to ask and it’s a real pain as it’s very easy to remember one short password and use that same password across all of the systems. But this is really important. One of the tricks you can use is to use a password manager, like one password, to manage your passwords. The password manager will generate a password for you that’s very complex, long and has multiple characters in it. And then, of course, it’ll store it in a very easy-to-use database that you can then access at some point.

If you really don’t want to use a password manager you can also use a formula that you memorise and use to uniquely generate a complex password in your head for each service that you use. That’s one of the systems, that I’ve used in the past and it gives you a way to have unique passwords across all systems. If your passwords are complex enough then you’re in pretty good shape.