WordPress is a very popular engine to use when creating your businesses website, it’s flexible, etc. But when finding a developer to create your page, please find some one who actually thinks about security also not only the design. Or have some one take a look at it afterwards.
A lot of company websites I’ve seen have no security plugins installed and very lax settings. They don’t get updated and some even have out right data leaks in them.
What made me write this was one of the latest & interesting security practice I saw one developer use. What he did right, was use complex passwords! But where he went wrong, was he was using it also as a username. Although using a completely random 12 character username is in some sense good (no dictionary attack for it) and it should be really hard to guess.. Well except when you have WP JSON interface wide open to the public. Guess what, the username is there & when you reuse your password like username actually for the password, its all over..
For me when I’m tasked at looking at a Website’s security, the first thing I look for is are there any hints on credentials through known interfaces that haven’t been locked down properly. Why even bother trying to find injection vulnerabilities when the low hanging things haven’t been taken care of.
So please when running your website on WordPress, do the decent thing and lock it down to keep your viewers/customers safe. Invest a bit of time in securing your site and reading on how to do it.
Here are some basic hints:
* Install some security plugins, for example WordFence or iThemes security.
* Disable un-needed features/interfaces that you don’t use. (ie wp-json/xmlrpc)
* Don’t have your WP-ADMIN page open to the public move it / add some extra measures to protect it. (basic auth/MFA, etc)
* Keep your plugins/WP instance up2date.
* Do regular backups (off-site) & track file changes to be able to spot malicious actors more easily and have a clean site you could restore.
* Don’t reuse passwords – I’ve been able to access too many admin pages using passwords from password leak databases to say that this isn’t a problem.
* Check if your e-mail address has been a part of any password dumps (https://haveibeenpwned.com)