This is not exhaustive but is meant to share some basic WordPress security recommendations.
WordPress is one of the most popular scripts available currently and is powering over 1/3 of the web today:
“Considering that the number of total active websites is estimated at over 172 million according to a survey published by Netcraft, that means that around 75,000,000 websites are using WordPress right now — with around half of those sites (37,500,000) being hosted on the WordPress.com shared hosting installation. This means that around 20% of all self-hosted websites use WordPress, which is still huge.” Source: click here.
What does that mean? This means that WordPress is a fantastic platform for building sites but is often a target due to popularity.
Here are my (Charlottezweb’s) recommendations for your WordPress site:
1. Always ensure your WordPress installation, all plugins and themes are kept up to date. This is incredibly important. Please see recommendation #2 below for an efficient way of managing this.
2. Charlottezweb recommends the plugin WordFence as a solution to assist you in doing step 1 above. WordFence has a free and Premium version available. If nothing else, install the free version. If you’re interested in the Premium version for additional features, please contact us for details or order it directly from them. Charlottezweb doesn’t look to profit from Premium licenses — I’d rather see you secure your sites.
3. Remove plugins or themes that you are no longer using. I login to WordPress sites from time to time and see as many as 10 themes installed. This is more for you to maintain and is also a vulnerability for your site. I would recommend keeping your primary theme and a WordPress default theme (currently “Twenty-twenty”) and removing all others. There’s no reason to keep lots of themes you aren’t using installed – this puts you at risk.
Each year WordPress pushes a new theme to your installation (Twenty-nineteen, Twenty-twenty, etc). Please remove the old ones. I have logged into a few accounts recently that had one theme per year going back to Twenty-eleven. I am finding uploaded malicious files hidden within old themes that can be used for someone to login.
Related to plugins, I’ve seen fake plugins uploaded that seem to be legit but are actually malicious files. Check your plugins and if you didn’t install something, delete it. Only keep the bare minimum of plugins your site needs to run installed. I’ve seen some sites with over 20 plugins installed which is quite scary. The fewer the better.
4. Monitor your WordPress users regularly and delete any you don’t recognize. I’d also recommend changing their passwords regularly. Passwords should be complex and unique — not used as your password anywhere else. I have some sites where there were third-party developers or theme companies that had their own logins that should be removed as soon as you’re done using them.
5. As always, please plan a regular offline backup of your site to your computer (offline) so you have a backup just in case. Any time you update your site, it’s best practice to run a backup before *and* after you complete the work.
I will keep adding to this post as there is likely more I will think of as I re-read. 🙂