1. Customize your URL for WordPress Security Best Practices
After installing WordPress you should follow our wordpress security best practices.
To start the main login page is normally /wp-admin or /wp-login which is easy for hackers to find the front door to your website.
Don’t give them that chance. A quick edit in the SQL server and you can make the front door to your site much harder to find.
2. Setup a login protocol blocker
If people still manage to find the front door to your site, you can set up an IP blocker that will block them out after several failed password attempts. WordPress now has a built-in IP blocker that blocks for 15-30 min, but I always suggest making this change by adding one for added security.
Wordfence plugin has this option built-in and will protect you from unwanted guests.
3. Use 2-factor authentication
2-factor authentication can seem like a pain in the ass to many. But when it comes to securing your site, it really is needed to help add an additional layer of defense.
Google Authenticator does this with a simple plugin and protects your site from those assholes trying to hack you.
4. Reset passwords religiously
I cannot stress how important it is to change all passwords regularly. WordPress security best practices recommend not to use a common password(s) over multiple platforms. I use LastPass to generate new passwords for me and I try to change passwords every 3 months on all the sites that I manage.
5. Auto log out idle users
One key feature from Wordfence is that it kicks off idle users (those that have been logged in but have walked away from the computer). This helps keep information protected from potentially prying eyes.
6. Enable SSL certification
Your hosting provider should autoload (by now) an SSL certificate on your website. This is what gives you that green checkmark on the address bar of your web browser.
This is usually free to have and is now even required by Google in order to be listed in search engines. Without an SSL certification, your site will be blocked by Chrome and Firefox web browsers.
7. Don’t use “admin” as a username
Another no-brainer is don’t use Admin as your username. Instead use an email address, as it protects you from predictable phrases and common mistakes.
8. Backup your site daily
There are many backup tools out there and I suggest you make use of them. If your site does become compromised, you are going to want the latest backup of your site so that you can reload it quickly and fresh from issues.
You can find a plugin that will backup nightly and can load to Dropbox or Google Drive away from your hosting server just in case.
9. Update WordPress and Plugins as your life depends on it
WordPress and plugin updates seem like a pain in the ass too. Almost daily, they always seem to pop up in the middle of something. But these updates simply mean the developers of your plugins are doing their job.
They are finding issues and exploits and want to protect you from hackers.
Update regularly so that an old version of Contact Form 7 doesn’t crash your site 😉
If a large version of WordPress comes out… going from 3.8 to 4.1, I’d suggest waiting a few weeks to update. This gives other developers the time to update plugins for the new platform version.
If you don’t feel comfortable doing this on your own, ask the ARC team or another web developer to help you with these updates.