At a recent visit to a local WordPress meetup, the question of how we should secure our WordPress websites came up. Not from a business angle, but for regular at-home bloggers.
So, here’s my 2¢ worth.
Follow the hardening WordPress advice at WordPress.org.
Ensure you update regularly. By default, WordPress will automatically install security and small bug fix releases – keep this switched on for rapid deployment.
Plugins are a different matter – via Jetpack you can have these automatically update but, depending on how important your site is, you may wish to do this manually. In this case, check for updates regularly and review each, looking at the changelog. For bigger changes you may want to test on a separate, test site first.
Backup your site regularly. If there are any security breaches and your site gets modified you can then always role back to an earlier version.
I wouldn’t necessarily recommend the security plugins, as they often add very little that can’t be done yourself but will add performance overheads to your site. One aspect I would recommend is some kind of auditing plugin that will tell you what happened on your site and when and, better still, contact you automatically when certain actions happen (new users created, etc).
However, if at all possible, try and avoid auditing plugins that store this data locally, as that information could be wiped by any hacker.
Definitely add two factor authentication (2FA) to your sign-in. If you have multiple users, ensure everyone has it.
I would recommend using Single Sign-on via Jetpack (and make sure everyone’s WordPress.com login has 2FA switched on) or the Two Factor plugin.