If you haven’t listened to Hello, WP! yet, On the show we take on different topics by calling on the pros…kinda like your favorite true crime podcasts, but minus the crime.<\/p>\n
Anyway, for our Security episode, previous SiteLock employee (now GoDaddy employee), Adam Warner<\/a>, joined me and shared 7 security best practices that I found extremely valuable. Adam and I had a much longer conversation than I could fit in the show, so I\u2019m bringing it here, with links, practical recommendations, and tips.<\/p>\n Quick sidenote: outside of our podcast, Adam has done talks at several different WordCamps about these best practices. If you\u2019re interested in hearing more from him, here\u2019s a session he did<\/a> at WordCamp Portland 2018.<\/em><\/p>\n So what do you say? Let\u2019s jump in with best practice #1.<\/p>\n Backups allow you to travel back to your site\u2019s golden days if it ever experiences a breach *tosses salt over his left shoulder*. There are a whole lot of great tools out there to help you get the job done, but there\u2019s one especially important feature to look out for \u2013 off-site storage. Saving your backup files on a different server than your site will prevent the backups from being compromised in the event of a hack-attack.<\/p>\n Depending on your budget, there are several free and paid plugins that make manually or automatically backing up your site very simple. Updraft Plus has a free version of there plugin that allows you to connect a Dropbox<\/a> or Google Drive<\/a> folder.<\/p>\n Or, if you\u2019re already a WPMU DEV member, Snapshot Pro<\/a> has all the backup bells and whistles you need. Including 10GB of remote cloud storage (OOooO)!<\/p>\n Keeping with the times and running updates on themes, plugins, and WordPress core plays a pivotal role in maintaining your site\u2019s security. Sure, some updates only fix bugs or improve performance, but others patch security vulnerabilities. THIS is why using well-maintained products is so important because if a plugin sits untouched for too long it becomes more susceptible to intruders.<\/p>\n If you\u2019re just running a site or two, like me, then logging into the WordPress admin and clicking \u201cUpdate Plugins\u201d isn\u2019t too much of a hassle. It becomes more problematic when you have a lot of sites to look after. If that\u2019s you, it might be time to consider a site management hub<\/a>.<\/p>\n I\u2019m a \u201ckeep it simple, stupid\u201d kinda guy, and the whole \u201cstrong\u201d and \u201cunique\u201d passwords thing really throws a wrench in that. These days, our browsers and even WordPress make strong password suggestions. That\u2019s cool and all, but with all the accounts we have across emails, social media, and WordPress, the greater battle is remembering all of those strong and unique logins.<\/p>\n Thankfully, there are a bunch of password managers out there that allow me to maintain my KISS lifestyle. LastPass<\/a> has a free and paid version. 1Password<\/a> starts at $2.99. Both of these password managers can store, generate, and paste your powerful passwords on demand. All you have to remember is ONE \u201cmaster password\u201d.<\/p>\n Okay, when it comes to Firewalls, I can\u2019t\/won\u2019t suggest any free options (sorryboutit). Here\u2019s why:<\/p>\n There are two types of firewalls, network firewalls, and web application firewalls (WAFs). Network firewalls happen on a hosting level, and quality hosting costs money!<\/p>\n If you listened to the episode of \u201cHello, WP!\u201d that inspired this blog post, then you know that we aren\u2019t (or at least our CTO isn\u2019t) big fans of having WAFs in plugins. Firewalls stand between your site and its users by overseeing incoming and outgoing traffic…kinda like a fence around a house. Putting a firewall in a plugin is like putting a fence inside your house…and who does that? So for that reason, we don\u2019t include a firewall in our security plugin, Defender.<\/p>\n Instead, we encourage the use of services like Cloudflare. Cloudflare offers a paid WAF<\/a> service that is constantly updated and monitored.<\/p>\n In some way, shape, or form monitoring is included in every one of these best practices. For example, you gotta monitor your website in order to keep up with updates, the internet must be monitored to maintain a strong firewall, and you use your strong and unique passwords in order to monitor your websites.<\/p>\n Monitoring is key to running a tight ship, but if you\u2019re like me and know very little about code, or even if you’re not like me and are a coding wiz, running regular security scans help us tie up the loose ends, and alert us when things are running amuck. Our free security plugin, Defender<\/a>, can run automatic malware scans, make security suggestions, checks code, and much more. Oh yeah…and he\u2019s free (incase you missed that)!<\/p>\n You can also use a free site scanner like Sucuri’s free malware\/security specific scanner to find issues and stay ahead of vulnerabilities.<\/p>\n This probably goes without saying, but 2FA is when you verify an account by receiving a special number by call, text, or the like. Google is the master of 2FA. So I\u2019ll keep this simple, you can enable two-factor authentication for free on your WordPress site with our luchador friend mentioned above, Defender<\/a>, or with a slew of other great plugins like Google Authenticator.<\/p>\n Prior to speaking with Adam, I had never heard of a VPN. But as one of those coffee-shop-dwelling hipsters and remote WordPress-ers…I should have been using one a long time ago! A VPN encrypts your data before the internet provider gets it.<\/p>\n Without a VPN, a tech-savvy person with loose morals could hop on the same open wifi network as you, see what you\u2019re up to, and even access personal information. In recent years, internet browsers have begun to block non-private networks. If you browse with Google Chrome, you might be familiar with their block message that says, \u201cAttackers might be trying to steal your information from [domain] (for example, passwords, messages, or credit cards).\u201d<\/p>\n If you\u2019re interested in implementing a VPN, TunnelBear has a FREE plan<\/a> available. Not to mention…they also just have fun branding!<\/p>\n If you\u2019re able to stay within the\u00a0parameters of TunnelBear\u2019s free plan, go for it! But in most cases, using a free VPN is *not* a good idea. One study, done by\u00a0Top10VPN.com<\/a>,\u00a0<\/span>has shown that many of them \u201cfeatured questionable permissions or functions buried in their source code that could potentially be used to spy on users.”<\/p>\n In a way, engaging in internet security best practices are ways of following the golden rule. Create safe and secure websites for your users, because you want a safe a secure worldwide web!<\/p>\n If this gets you excited, check out our Ultimate Guide to Security<\/a> and don’t miss a thing with our\u00a032-point WordPress security checklist<\/a>.<\/p>\n1. Backups<\/h3>\n
2. Updates<\/h3>\n
3. Strong passwords<\/h3>\n
4. Firewalls and Content Delivery Networks (CDNs)<\/h3>\n
![\"Cloudflare](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2019\/04\/cloudflare-waf-landing-page.png\")
5. Monitoring<\/h3>\n
6. Two-Factor Authentication or 2FA<\/h3>\n
![\"Defender](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2019\/04\/google-2-factor-authentication.png\")
7. VPN or Virtual Private Networks<\/h3>\n
The Seven Wonders of Internet Security<\/h3>\n