Security Best Practices for WordPress Projects

Managed Hosting Responsibilities

Using a managed WordPress hosting service like WP Engine or Pantheon for WordPress projects ensures a very high level of quality web server security and related areas. This includes:

  • proper file and folder permissions across the entire system

  • server software updates (WordPress, MySQL, PHP, etc)

  • smart plugin updates (of plugins from the official repo)

  • proper folder write permissions

  • monitoring of suspicious behaviour of plugin and theme code

  • database security

  • FTP/SSH security

  • backups

It is highly recommended that Kalamuna clients use a managed WordPress host for these security related reasons and others. Discount hosting should not be allowed and self hosting should only be allowed in very specific circumstances where the client can demonstrate they have the resources to properly implement security practices on their server.

Kalamuna Responsibilities

As Kalamuna, the developers of the WordPress website, there are some aspects of security where the onus is on us to enforce:

Client Responsibilities

The client also has some responsibilities after the project has been handed off

  • using good judgement when creating new users (do they really need to be an admin or will a lower role suffice?)

  • not disabling 2FA simply because it is easier to not use it

  • not installing questionable plugins which could pose a security risk

 

More information is available at Hardening WordPress – Advanced Administration Handbook | Developer.WordPress.org

Related pages