This is a slightly more advanced take on WordPress and security in general. You may be disappointed but this article is not about how to make a perfectly secure WordPress site. In fact there is very little about WordPress in this article, because security is a “mind set” based on considering security for “each aspect” of your system. And if you take a moment to consider “each aspect” of your system you will quickly realize that before you can secure your WordPress installation you have to make sure that all the systems that access it are free of spyware, malware, and virus infections and their users take security as seriously as you do, because no matter how secure your WordPress installation is if your computer has a keylogger reporting your passwords to a botnet in Asia it isn’t going to make much of a difference.
Step 1 Keep your computer up to date, use the latest version of your browser, install anti-virus, anti-malware, adaware, and firewall.
Antivirus Software Recommendations change yearly but the following have proven themselves to be consistently good
Paid:
Norton AntiVirus/Anti-Malware
Kaspersky Anti-Virus
Bitdefender Antivirus Plus 2013
Now, a note regarding Ad-Aware Lavasoft has been bought out by an investment fund called Solaria, who are the founders of Upclick, an affiliate marketing company. Upclick has founded other companies that sold online porn, reskinned peer-to-peer filesharing software, and allegedly “skimmed” online sales, charging customers for software that they did not order. So if you have installed Ad-aware please consider discontinuing it.
Lastly, Mac Users despite what you may hear, you should use security software.
Avast, Avira and Kapernsky are all excellent choices.
Next, you should consider securing your passwords and communications. If you are going to log into your server use SFTP or SSH rather than plain ol’ FTP as these encrypt your communication to the server so anyone one observing your communications through the network won’t be able to get your password.
Finally, if you’re really concerned about the physical security of your system, be sure to password protect it, and if you are looking for even greater physical security back it up to an encrypted cloud based system and I suggest you consider the following link Computer password protection solutions are useful but in the near future a real physical key coupled with a complete encryption solution that is physically tied to you are going to be ubiquitous. Imagine a ring that recognizes the wearer and provides data, encryption and user authentication. One ring to rule them all… Sounds very Silmarillion but Google is actively working on it.
Step 2 Secure your passwords, secure your computer, and secure your communications.
Once you are confident your workstations and communications with your server are secure and I’m assuming you’ve read my previous article in the series so you are hosting your site with an experienced WordPress ISP, have the latest updates and secure passwords. You should consider very carefully how any and all other users with login access to your WordPress site take security and if they have read these articles with the same enthusiasm and dedication as you. Yes this is the stuff of nightmares folks and brings me to my next topic, Limiting Access. Never give anyone more access than they need. Unless your client demonstrates significant facility with WordPress, and a deep respect for security I recommend you limit their access to no higher than editor level (for a more detailed description of WordPress User roles I suggest you click here.) Admin user level access is for the web master and as they say in the Highlander… “There Can Be Only One…” and that one should be you, and if you’re still using “admin” as your admin account you should reread my previous article.
Step 3 Educate all other login users as to the importance of security and never give them more access than they need.
Now, that we have covered a little of the paranoia essential to maintaining a secure WordPress site we are ready to consider specific measures to harden your WordPress installation, this means .htaccess files, security plugins, disabling code editing, and much, much more. So stay tuned to the next exciting episode of WordPress Security coming soon!