Onar Alili
Engineer
4 minutes to read
The WordPress Security Checklist Most Developers Wish They Knew Sooner
Building a secure WordPress website is crucial for protecting your data and ensuring a smooth user experience. Many developers learn the hard way that implementing robust security measures from the start can save time and prevent headaches later on. Here’s a comprehensive checklist of best practices for WordPress security that every developer should know.
- Develop Locally
- Secure Your Contact Forms
- Keep Plugins Up to Date
- Disable and Remove Development Tools
- Remove Unused Plugins
- Use Strong Passwords
- Implement Two-Factor Authentication
- Regular Backups
- Secure Your Hosting Environment
- Limit Login Attempts
- Use HTTPS
Develop Locally
When building a website, it’s better to develop in a local or isolated environment. During development, developers tend to use weaker passwords, expose keys, and more. To secure against any exposure, make sure to build your website locally. Nowadays, tools like WordPress Studio and LocalWP allow you to develop your WordPress site locally and ship it when you’re ready.
Keep Your Site Hidden Until It’s Ready
Anything publicly available will be found by bots. For example, if you open your home IP port 80, within an hour or so, you will see incoming hits. There are countless bots out there that crawl for websites, open ports, and other vulnerabilities. Hiding your website from search engines (e.g. Google, Bing) won’t help in these cases, so it’s important to build your website locally and keep it offline until it’s ready to be published.
Secure Your Contact Forms
When you are ready to publish your site, make sure to secure your contact forms with spam protection tools like OOPSpam (paid) or Turnstile (free). These tools help prevent spam and protect your site from malicious submissions.
Keep Plugins Up to Date
Ensure that all plugins are up to date. Outdated plugins can have vulnerabilities that hackers can exploit. Regularly check for updates and install them promptly to maintain security.
Disable and Remove Development Tools
Once you’ve moved from development to production, disable and remove all development-related tools. Leaving these tools enabled can create unnecessary security risks.
Remove Unused Plugins
Unused plugins can become security liabilities. Remove any plugins that you’re not actively using to reduce potential entry points for attackers.
Use Strong Passwords
Always use strong, unique passwords for your WordPress admin accounts and any other accounts associated with your site. Consider using a password manager to keep track of them. Bitwarden is free and works well.
Implement Two-Factor Authentication
Add an extra layer of security by implementing two-factor authentication (2FA) for your WordPress login. This makes it much harder for unauthorized users to gain access. The Wordfence plugin can help with this.
Regular Backups
Back up your WordPress site regularly. In the event of a security breach or other problem, having a recent backup can save you from significant data loss. Getting hacked is no fun, so make sure you have a backup so that if you do get hacked, you can instantly restore your website from a backup. This will save you a lot of headaches.
Secure Your Hosting Environment
Choose a reputable hosting provider that offers robust security measures. Make sure your hosting environment is properly configured and includes security features such as firewalls, malware scanning, and DDoS protection. Another reason to choose a reputable hosting company is performance.
Limit Login Attempts
Limit the number of login attempts to prevent brute force attacks. In addition to two-factor authentication, Wordfence can help with this too.
Use HTTPS
Make sure your site uses HTTPS by installing an SSL certificate. This will encrypt data between your website and its visitors, protecting sensitive information. You can put your website behind Cloudflare to enable SSL certification, and make sure to use the Always Use HTTPS feature to redirect all non-HTTP requests to HTTPS.
