Over the next few weeks, we will engage a group of WordPress security experts in the WordPress space.
They will help us sort through good and best practices.
Our roundtable includes Robert Rowley of Patchstack, Chris Bourne of Website Managed and MainWP customer, Kathy Zant of Stellar WP, Edward O’Rourke of Jupiter Media, also a MainWP customer, and Erika Vainoras of Hostinger.
We will discuss different areas of security, including plugins, hosts, updates, ecommerce, and preventing compromise.
Our Roundtable WordPress Security Experts
Robert Rowley, Patchstack
“Robert is the Security Advocate for Patchstack and carries with him 2 decades of hosting and security experience.”
Chris Bourne, Managed Websites
“Website Manager that cares about his clients’ websites as if they were his own.”
Kathy Zant, Stellar WP
“Kathy Zant is a Product Marketing Manager for Kadence at StellarWP and has been working with WordPress for over a decade. She has both technical and marketing experience and has worked with a number of brands in the WordPress space. She has helped numerous organizations empower their businesses with WordPress. She’s helped organize both WordCamp Phoenix and WCUS. She currently lives outside of Denton, TX where she can often be found walking golden retrievers or hanging out in horse barns.”
Edward O’Rourke, Jupiter Multimedia LLC
“CTO @ Jupiter Multimedia LLC & Dad to an adorable 8-year-old daughter 🙂
“I’ve provided site and server side support for websites on the WordPress platform since 2009. My mantra is ‘Security is layers, there is no magic bullet’ & ‘Backup, Backup, Backup!’ Never be too bold or too embarrassed to ask for help.”
Erikas Vainoras, Hostinger
“Cyber Security Specialist for Hostinger.”
I asked our experts 5 questions, all multi-tired. In today’s article, we look at one of those questions and the answers they gave.
Our first question:
What are your top 3-4 tips for preventing a security compromise? Should I use a security plugin? Should I use 2FA? Should I have a software firewall?
“Update Insecure components.” Robert Rowley, Patchstack.
Rowley reminds us of four things we should do, including updating insecure components, strong passwords, and removing and replacing unused and abandoned components.
- Update insecure components.
- Choose strong passwords (2FA is even better).
- Remove unused components from websites
- Remove/replace any abandoned components (if something has not been updated in years, and there is no communication from the developer … find another maintained project to use.)
“Don’t just rely on updates.” Chris Bourne, Website Managed.
Bourne reminds us not to just rely on updates but limit logins, use secure password apps, and use firewalls.
“Run the website on secure hosting; don’t just rely on updates. Always use a plug-in to limit logins for bad attempts. Most 2FA can be worked around, so using an auth app seems to be more reliable than email. Firewall should be at all levels – server, hosting account, website.”
“Having good protection on your login.” Kathy Zant, StellarWP.
Protecting logins is vitally important, according to Zant. Use 2FA or passkeys if you can and use strong passwords. She recommends plugin minimalism and uses the CloudFlare and iThemes combo for her security.
“The vast majority of breaches occur because of poor password hygiene. Reused passwords, poor password choices can often lead to those credentials, ending up in a database of breached credentials or password databases that are then used in brute force attacks.
“Having good protection on your login, especially with two-factor authentication or passkeys (if possible) can help to thwart attackers looking to compromise your WordPress site.
“I am a big fan of plugin minimalism, and I also like firewalls that are off the server for performance reasons. I use a combo of CloudFlare and iThemes Security for the passkeys feature. Passkeys are the future of authentication, so I am trying to move my authentication practices that way as soon as it is offered.”
“Security is never a one solution fits all.” Edward O’Rourke, Jupiter Multimedia LLC.
O’Rourke reminds us that security is not a one solution fits all. He also likes the iThemes Security plugin and thinks the pro version is with the money. O’Rourke also talks about folder permissions. He reminds us to ensure your SSL is enabled.
“Security is never a one solution fits all and there is no one magic silver bullet. Security is layers and good practices. Security should start at the server level. Having a properly configured firewall and something such as ModSecurity are essential server level needs. Never use admin as your login and always use strong passwords.
“My personal first line of defense go-to plugin is iThemes Security free is good, but pro is very worth it. iThemes Security doesn’t try to replace what the server itself should be doing already, such as firewall. It enhances security and provides a first line of defense. It’s 2FA and biometric login features are fantastic.
“Another important point is proper file and folder permissions. Make sure files and folders are not writable where they shouldn’t be. A slightly obscure security tip is to move the wp-config.php file one directory above the WordPress install directory. In most cases this will move the config out of the public_html folder into a space that prying eyes can’t reach.
“WordPress knows to look for it in this location by default.
“Lastly, ensure SSL is enabled minimally every place a password is submitted. Optimally, any place a form is submitted.”
“The Internet is a hostile environment for a user.” Erikas Vainoras, Hostinger.
Vainoras is right, the internet is a hostile environment. The best we can do is reduce our risk. He reminds us to stay vigilant, including the links we open. He reminds us to trust the software we use, including our password managers. He mentions using a Web Application Firewall, which can be found in the best security plugins.
“The Internet is a hostile environment for a user. Even with the best tools in place, there is no guarantee of preventing security incidents. To minimize the possibility of security incidents, always stay vigilant and first protect your accounts and personal information. Be aware of links you’re opening, especially if they come through email.
“Make sure that you trust the software where you put your information, use strong passwords, and do not reuse them multiple times (usage of password manager helps a lot to prevent this), 2FA is always a must, as it provides an additional security layer to the account.
“To increase the security of your website, a Web application firewall is a great tool to have around. It offers protection from common attacks and is also customizable, and gives control over security measures, which can be adjusted according to the needs (for example, enabling captcha for website visitors in case of DoS attack).
“Security plugins may help recognize potential vulnerabilities, malware, or bugs.”
Wrapping it up
When considering WordPress security, we should always keep our websites updated. We also need to limit login attempts and secure our passwords. Consider security software at the server and website levels.
Don’t forget to set secure folder permissions and keep your SSL up to date.
The internet can be hostile so it is best to stay vigilant!
Stay tuned to the next few weeks for the rest of our roundtable WordPress security discussion.
What are some rules you run your WordPress security through? Let us know in the MainWP Users Facebook Group.