Security Best Practices for WordPress Projects
Managed Hosting Responsibilities
Using a managed WordPress hosting service like WP Engine or Pantheon for WordPress projects ensures a very high level of quality web server security and related areas. This includes:
proper file and folder permissions across the entire system
server software updates (WordPress, MySQL, PHP, etc)
smart plugin updates (of plugins from the official repo)
proper folder write permissions
monitoring of suspicious behaviour of plugin and theme code
database security
FTP/SSH security
backups
It is highly recommended that Kalamuna clients use a managed WordPress host for these security related reasons and others. Discount hosting should not be allowed and self hosting should only be allowed in very specific circumstances where the client can demonstrate they have the resources to properly implement security practices on their server.
Kalamuna Responsibilities
As Kalamuna, the developers of the WordPress website, there are some aspects of security where the onus is on us to enforce:
using code and plugins that are only from reliable sources
as developers, ensuring our local machines are up to date and free of malicious software such as key loggers
setting up initial users with strong passwords, educating client about password manager software if this helps
(to be discussed) setting up 2FA on the login screen. There are many reliable, reputable plugins that can do this. Some less tech savvy users could find it confusing though.
(to be discussed) education clients on phishing attempts they may receive in their email. Phishing could be used to gain access to their WordPress website as well as other tools the client's company uses. This will benefit their overall company security and not just their website. There are various tools available Kalamuna could recommend to the client that simulates phishing attacks like Cybersecurity Training & Certifications | Infosec or https://www.knowbe4.com/. The Liberal Party used one of these phishing simulator campaigns on employees and it really had a positive effect on training employees to be much more aware.
Client Responsibilities
The client also has some responsibilities after the project has been handed off
using good judgement when creating new users (do they really need to be an admin or will a lower role suffice?)
not disabling 2FA simply because it is easier to not use it
not installing questionable plugins which could pose a security risk
More information is available at Hardening WordPress – Advanced Administration Handbook | Developer.WordPress.org