When Office To-Go takes over WordPress website maintenance or a new project, we employ these security measures and recommendations.
1. Keep headers/logos under 125 pixels high. It takes up valuable viewing space, especially for laptop users, that is best left for the good stuff to appear “above the fold.” Take a cue from the big companies, simple logos done well say it all. This is our #1 pet peeve – screaming logos and headers!
2. Use STRONG passwords of 10 or more characters and DO NOT use “admin” for a username. Create a new user profile assigned to the administrator role, log back in with the new user profile and DELETE the admin file. It can’t be said strongly enough: use strong passwords for WordPress and any other site which requires passwords. This strong password generator makes it easy for you here.
3. Use secret keys. A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password. Visit https://api.wordpress.org/secret-key/1.1/salt/ and copy the keys into your wp-config.php file and re-upload. You can change or add them at any time. Note: All current WordPress cookies will be invalidated and your users will have to log-in again — minor inconvenience in the name of security.
4. Select your plugins wisely, too many will slow down your site. Badly coded plugins are a hacker’s back door into your website.
5. Install the WordPress Firewall Plugin. This plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks.
6. Move your configuration file one level above the root directory of your server (if you’re running WP in the root directory of your site as opposed to yourdomain.com/blog subfolder).
7. Do not use wp_ as a prefix for your databases. Most hosts are eliminating that default now but if yours does not, change wp_ to anything else but that.
8. Install Wordfence security plugin.
9. BACK UP your site regularly and keep a copy on your computer and/or off-site storage. If you have a very active site, back up daily. You spend a lot of time and money on your website, don’t skip this! The one complete solution that does it all is BackupBuddy (affiliate), no other plug-ins back up your files, widgets, plugins and database. Need to move your site to another host, this will do it in less than a few minutes!
10. Rewrite your .htaccess file to lock down your wp-admin directory by IP addresses. Add the following code to your file, replacing xxx.xxx.xxx.xxx with your IP address:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
