Join Jeff Starr for an in-depth discussion in this video Further security techniques, part of WordPress: Developing Secure Sites .
- [Narrator] In this video series, we've covered a lot of ground and added many layers of security, but there are many more steps you can take. In this video, we highlight eight additional techniques. Monitoring errors, responding to incidents, not modifying core files, working with a clean computer, using HTTPS, using SFTP, writing secure code, and exploring plugins. These eight tips will serve you well as you go further with securing your WordPress powered site.
Let's dive in to these topics. Number one: monitoring errors. Monitoring errors is an important part of any good security strategy. As technology evolves, errors are inevitable. Keeping a close eye on your site's errors enables you to resolve issues before they escalate, cause problems, and make your site vulnerable to attacks. There are plenty of error monitoring tools available. There are error logs, third-party scripts, and WordPress plugins. Finding the right tool can help you monitor errors more efficiently and effectively.
Number two: responding to incidents. If your site gets hacked, know which steps to take to restore functionality. Having a plan can mean getting your site back up and running in hours instead of days. You can find tons of information via search engine, and you can get started by checking out the WordPress Codex. These resources will help you get started with your own incident response plan. Number three: don't modify core files. WordPress is engineered for optimal performance, security, and functionality.
There is an entire team of top developers working around the clock to make sure WordPress is the best it can be. The last thing you want to do is make changes to the WordPress core files. I mean, think about it. If you make changes to the WordPress core files and you do upgrade WordPress, the changes will be lost, or if you don't upgrade WordPress, the site may become vulnerable. So, either way you're stuck. The same principle applies to plugins and themes. Don't modify their core files. It's just a bad idea for any live production site.
The good news is that you never should need to modify core files because WordPress is extremely flexible and provides many ways to customize things. You can customize WordPress via plugin, theme template, widget, and the functions.php file. And if all else fails and you need to customize something that is not accessible via one of these methods, ask the WordPress community for help. Number four: work with a clean computer. This should be a no-brainer. Always work from a clean machine.
If your local machine is infected with a virus or malware, it's only a matter of time before your WordPress site gets infected, bogged down with evil scripts, and worse. So, take the proper steps to ensure that your local machine or device is secure and squeaky clean. Doing so will make your online life much, much easier. Number five: use HTTPS. Eventually all websites or a vast majority of them will be served via the HTTPS protocol. HTTPS is the secure version of HTTP, which is the protocol used to transfer your site's data over the internet.
If you've spent any time online, you've no doubt noticed that some URLs look like this and some look like this. What's the difference? Pages served over regular HTTP connections are not encrypted, so bad actors can't intercept your traffic and execute man-in-the-middle attacks and other exploits. Pages served over HTTPS are encrypted, which secures your traffic against malicious activity. In order to implement HTTPS, your site needs an SSL certificate.
And you want to make sure that you are serving all of your pages, front end, back end, and server control panel via the HTTPS protocol. An SSL certificate enables this. Although the technical details are beyond the scope of this course, suffice it to say that serving all of your pages over HTTPS will greatly improve the security of your site. Number six: use SFTP. Similar to using SSL and HTTPS to serve your webpages and content, you should be using SFTP or FTPS instead of regular FTP when transferring files to and from your server.
Regular FTP has been around forever, but it is insecure for some of the same reasons that unencrypted HTTP is insecure. It's much better to protect your data by using SFTP, which stands for secure file transfer protocol. Here is a good resource to learn more. Number seven: write secure code. Of course, if you are a WordPress developer, writing clean, secure code is an absolute must. It's just mission critical to keep your code squeaky clean and written according to the WordPress API.
As a developer, you are the front line of security, where a single bit of bad code can put a multitude of sites at risk. To study up on the WordPress API and coding standards, check out the developer handbook. Number eight: explore plugins. Last but not least, make an effort to explore the vast army of WordPress security plugins. Doing so keeps you current with advancements and possibilities and helps you find plugins that may be perfectly suited for your particular needs.
Here are some examples of some lesser known but useful security plugins. Look-See Security Scanner verifies the integrity of your WordPress installation. Plugin Inspector checks your plugins for vulnerabilities and unsafe code. And Old Core Files deletes old WordPress core files from the server. And of course there are all-in-one type security plugins that try to do it all with a click and so forth. While these types of turnkey plugins can be effective, there are some important points to consider.
With all-in-one type plugins, you have greater risk because if the plugin fails, all security fails. And performance can suffer with plugins that require extensive processing on the server. Also, many all-in-one plugins are super bloated with unnecessary features. And plugin upgrades may introduce unseen vulnerabilities to your site. Basically, using an all-in-one security plugin can make things a little easier, but you may be sacrificing control, performance, and reliability.
In this video, we cover some important things that will help any WordPress user improve their overall security strategy. As you go further with WordPress, these principles and strategies will help you take your site security to the next level.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security