Security Best Practices for WordPress Projects

Managed Hosting Responsibilities

Using a managed WordPress hosting service like WP Engine or Pantheon for WordPress projects ensures a very high level of quality web server security and related areas. This includes:

• proper file and folder permissions across the entire system

• server software updates (WordPress, MySQL, PHP, etc)

• smart plugin updates (of plugins from the official repo)

• proper folder write permissions

• monitoring of suspicious behaviour of plugin and theme code

• database security

• FTP/SSH security

• backups

It is highly recommended that Kalamuna clients use a managed WordPress host for these security related reasons and others. Discount hosting should not be allowed and self hosting should only be allowed in very specific circumstances where the client can demonstrate they have the resources to properly implement security practices on their server.

Kalamuna Responsibilities

As Kalamuna, the developers of the WordPress website, there are some aspects of security where the onus is on us to enforce:

• using code and plugins that are only from reliable sources

• as developers, ensuring our local machines are up to date and free of malicious software such as key loggers

• setting up initial users with strong passwords, educating client about password manager software if this helps

• (to be discussed) setting up 2FA on the login screen. There are many reliable, reputable plugins that can do this. Some less tech savvy users could find it confusing though.

• (to be discussed) education clients on phishing attempts they may receive in their email. Phishing could be used to gain access to their WordPress website as well as other tools the client's company uses. This will benefit their overall company security and not just their website. There are various tools available Kalamuna could recommend to the client that simulates phishing attacks like https://www.infosecinstitute.com/ or https://www.knowbe4.com/. The Liberal Party used one of these phishing simulator campaigns on employees and it really had a positive effect on training employees to be much more aware.

Client Responsibilities

The client also has some responsibilities after the project has been handed off

• using good judgement when creating new users (do they really need to be an admin or will a lower role suffice?)

• not disabling 2FA simply because it is easier to not use it

• not installing questionable plugins which could pose a security risk

More information is available at https://wordpress.org/support/article/hardening-wordpress/