M3Server Technical Blog FAQ WordPress Security Checklist

WordPress Security Checklist



If you don’t keep your personal computer updated, you will have security issues. Malware is the most common. Same goes for your WordPress site. If you don’t update it, you will get compromised. How? Web bots are always searching for known files (themes, plugins) with security vulnerabilities. We call these backdoors.

Your personal computer can be very secure, but if your application is not, then you have problems.

How to secure WordPress:

A) UPDATE YOUR BACKUPS FIRST!
OPEN YOUR FTP CLIENT AND DOWNLOAD YOUR CONTENT/DATABASES, etc.

You have been urgently warned. Data safety is your responsibility. Prevent data loss, have your OWN back ups. Don’t rely on free emergency use backups provided by your hosting company.

Avoid using WordPress backup plugins, especially if your site is very large (larger than a few GBs, or if you have many sites on a single server.   Doing so places an enormous load on your server and could even result in a crash.  How is that?  Imagine 30 sites that are 5GB each and launch a backup task at the same time – BOOM!

B) Verify your backups.
Locate the backups on your computer, if your satisfied, you may proceed with confidence.

C) Update your admin password.
Even better, make a new user with a complex user_name that is not easily guessed and give it full admin access. Then, login with that user to test it. Once confirmed, change the default login name, admin, to subscriber only to close yet another vulnerability door.

# 1) Review themes and plugins for each web site.

In some cases, each instance of WordPress. If more than one is installed per site, such as:
your_site.com/blog1
your_site.com/blog2

Disabled themes and plugins are security risks as long as they are on the server. Delete these items from the server to close security holes.

# 2) Choose a site to update.

– Disable current plugins for safety
– Update WordPress
– Update theme
– Update plugins
– Activate plugins

Pay close attention on compatibility.  When in doubt, ask the author of the plugin or theme prior to enabling it.  Failure to do so many leave your site inoperable.

If this happens,  review this post:

# 3) Review content inventory via FTP

Verify via ftp that only your plugins/theme directories exist. If you notice any suspicious directories with php, html, shtml files, open your ftp client, download a file from that directory and open it with a text editor. Remove all files that you know are not yours.

# 4) Repeat the above for all sites remaining on your server.

Security starts with your files, users, and passwords. One security flaw can lead to exploits and malware on all your sites.

# 5) Hardening your WordPress

If your site is serious business, you need to following WordPress security guide to “harden” your software install:

https://codex.wordpress.org/Hardening_WordPress

One thing to notice on the page above:
” If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.”

Even if this is your VPS or your Dedicated server, if it’s hosting more than one web site, you are indeed sharing the hosting with other sites, even though the sites are yours, they are still sharing a server. For this reason, WordPress, and any other php application for that matter, the more sites you host on one server the greater the security risk. Once site can deface, infect, otherwise alter another site. Be very dilengent in your security practices, including passwords and software updates.

We keep your server secure and updated, however, security and management of your site(s) is your responsibility.

Finally, you may want to subscribe to this 3rd party service for monitoring of security instances.
You can test your site for free. It’s not perfect, but it is very reliable.

M3 is not affiliated in anyway with the site(s) below. We do not receive compensation for the clicks or referrals. They are posted here as tools for you to use.

https://sitecheck2.sucuri.net/
https://www.google.com/webmasters/tools/
Any questions regarding usage of the sites above need to be directed to their site/support.

Managed Hosting
M3Server, Inc