WP-Tonic | WordPress | SaaS | Bootstrap SaaS | Startups

140 What Are the Best Practices For WordPress Security?

Listen

Description

In this WP-Tonic round-table we look at WordPress and security with an excellent panel of WordPress community experts.


Our panel this week:
Brian Jackson from https://woorkup.com/ and https://kinsta.com/
Sallie Goetsch from https://wpfangirl.com/
Jackie D'Elia from https://jackiedelia.com/
Jonathan Denwood from https://www.wp-tonic.com/
John Locke from Lockedown SEO


Episode 140 Table of Contents
0:00 Podcast intros
1:50 WordPress Security – 18+ Steps to Lock Down Your Site
https://kinsta.com/blog/wordpress-security

3:12 Learning From Buggy WordPress Wp-login Malware
https://blog.sucuri.net/2016/10/learning-buggy-wordpress-wp-login-malware.html

6:49 Updating your WordPress plugins is one of the most important things you can do
10:22 Test all plugin and theme updates on a staging server

12:25 Surviving Electmageddon: Protecting against a wave of DNS outages
https://www.wordfence.com/blog/2016/11/surviving-electmageddon-protecting-wave-dns-outages/
(DDoS attacks and advantages of having a secondary DNS server)

17:34 Securing WordPress from the Start
https://ithemes.com/2016/11/02/securing-wordpress/

21:29 It's a good idea to have redundant backups for your website. You can't have enough of these.

24:35 What is one WordPress security tip that you should use right from the start?

25:48 Brian has a story about what sort of long-lasting damage to your SEO a single hack can produce.

27:20 Cleaning Up a Massive Negative SEO Attack with Web CEO
https://woorkup.com/cleaning-negative-seo-attack-web-ceo/

29:52 Changing the default login URL can prevent automated attacks. Also, always use strong passwords.

31:11 Always check your code for hidden backlinks to spam sites.

32: 35 We discuss Negative SEO.

33:12 Linkpocalypse Now – The Horror of Negative SEO
http://www.jacobking.com/negative-seo-truth

35:05 Limit the login attempts people can make to prevent a brute force attack. Consider two-factor authentication for logins.

36:16 Deactivate and delete any themes and plugins you're not using. Don't use the automatic WordPress install scripts that your hosting company provides.

38:24 Many people use weak passwords, and that's why they get hacked.

40:37 Install an audit log so you can see what activity is happening on your site. Clients will often be freaked out by how often the site is scanned.

42:25 Don't use themes where plugins are bundled into the theme (like on ThemeForest)
https://www.lockedownseo.com/why-we-shouldnt-bundle-wordpress-plugins-in-themes/

43:37 Do not allow everyone on your site to have Administrator access

46:15 XML-RPC: What is it? Why should you limit it's use? HOw do hackers use it?

49:03 Be careful about using public Wi-Fi to FTP or login to your site. Always use HTTPS on your site to encrypt your password when logging in publicly.

52:01 Use a virus scan on yo...