Malware - Good practices for WordPress site owners

Access Control

1. Use a strong password and keep it secret. The stronger your password, the better you can defend against brute force password guessing attacks.
2. Avoid Social Engineering, such as Phishing. For example, Phishers can create fake web pages like your login page to collect your credentials. Check where a URL points before you click it.
3. Change your password regularly. Immediately change your password if you think your website has been attacked. Always use a strong password.
4. Follow a “Least Privileges” approach to access rights. Limit who and what people can change on your site to the minimum required. This will minimize the entry points available to a malicious person.
5. Use the various levels of WordPress User (Subscriber, Contributor, Author, Editor, Administrator). This will contain the damage a malicious person can do once they gain access to any individual account.
6. Limit who has administrator rights on your website.
7. Use a two-factor password on your website.

See our article “Passwords – Good practices for WordPress site owners” for more details.

Software Updates

Suppose a vulnerability is discovered in your website software, and a new version is released to address the issue. In that case, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, which is one of the primary reasons you should always keep your software up to date.

1.  Update WordPress to the latest version. Developers continually release updates to address new security issues. WordPress now has an auto-update feature. You can check that auto-updates are enabled at WordPress -> Dashboard -> Updates.
2. Keep your Plugins and Themes updated to the latest version.

Trustworthy Software

One of WordPress’s main benefits is the availability of third-party software and services that enable you to build a highly functional website. However, nobody has time to audit all that software to understand what it can do and if it has any vulnerabilities. 

1. Use Plugins and Themes from reputable sources. You should consider every third-party extension (Plugins and Themes) a potential point of intrusion. Only use highly rated and regularly updated Plugins/Themes and only from the WordPress.org repositories at https://wordpress.org/themes/ and https://wordpress.org/plugins/
2. Remove any old and unused Plugins and Themes. This is not only good housekeeping but also reduces your website’s attack surface.
3. Use Third-Party Integration/Services from reputable sources. Adverts generated via Advert Networks and some Content Distribution Networks can be a source of exploits. These connection points between your website and a third-party service provide an additional attack surface for hackers to exploit.

Your Computer Vulnerabilities

1. Regularly check the computers used to manage your WordPress website for spyware, malware and viruses.
2. Keep your operating system, software and browser updated to protect from security vulnerabilities.

Backups

1. Keep regular backups to revert to a version before an attack.
2. Keep backups in several places, i.e. on your website, an alternate computer, and physical storage.
3. Keep a long history of backups to provide many restore options. You might not spot a Malware infection for quite some time, so keep backup files for up to 60 days.
4. Have a plan for how you will use backups to recover your website. 

See our article “Backups – Good practices for WordPress site owners” for more details.

Secured Shared Hosting*

1. All files shall be owned and only writable by your user account.
2. Each WordPress database shall be separate for each website and managed by a different user.
3. All logins and all admin sessions shall only be over a secure encrypted connection e.g. SSL.

* Note that OurWebMastery.com follows these recommendations.

References

1. https://developer.wordpress.org/advanced-administration/security/hardening/
2. https://blog.sucuri.net/2021/03/how-do-websites-get-hacked.html