How to improve security of a wordpress site?

I had this question after viewing How to restore a wordpress site?.

Considering the related question, I would like to know how to improve the security with wordpress sites, we have had alot of malware and hacking attacks, maybe what we need isn't just an isolated solution but an strategy made by many aspects.

Thanks in advance.
dimensionavAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
I think your instincts are right about considering security "strategies" instead of treating it as a one-time thing.  Threats are always evolving, and a general awareness is important.

For a good organization that you might want to join and support, consider OWASP:
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline

WordPress is written in PHP, and PHP has its own security manual:
http://php.net/manual/en/security.php

WordPress Specific:
https://wordpress.org/news/category/security/
http://codex.wordpress.org/Hardening_WordPress

Good hosting is important, too.  These are the pros:
https://wordpress.com/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Peter HartCommented:
I have found (to my downfall)   the best thing is to take regular automated backups as hackers will always find a way in.   then when it happens you can simply restore the last backup.

for Wordpress the number one thing is to keep everything updated (wordpress, plugins, php etc..)
there is a list here: http://www.hongkiat.com/blog/hardening-wordpress-security/

then use a paid for security enhancement for Wordpress such as WordFence
and talk to your Hosting company about what security they offer in terms of hardening the OS and server
Ray PaseurCommented:
+1 for @chilternPC recommendation of Hongkiat.  Much good advice there.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

btanExec ConsultantCommented:
Indeed reatoration with backup tested is critical as recent ramsomware such as ctb locker has even locked website demanding ransom prior to any form of access. It need to
-reinforce on fundamental hardening to start off
-build the layer of site defences
-maintain continuous oversight and regime for security testing
-enforce strict timely patch management of the sites used software and dependencies.

Vulnerable CMS and plugin in Wordpress are low hanging fruits for attck and invites easy penetration to exploit the vulnerability. So be kept informed on the updates and received timely alert via email or means to monitor the latest release for all plugin.

Have a web application firewall to form that extra layer of hurdle that attacker need to overcome before they hit on the actual gap ib the site due to insecure coding or unpatched plugin in. It also buy some time for site upgrade to change any necessary codes or upgrades.

Consider the OWASP guidelines for virtual patching. But pls still fix the codes etc. https://www.owasp.org/index.php/Virtual_Patching_Cheat_Sheet

Also as mentioned to strike off the low hanging fruit, focus minimally to make sure the necessary input validation done to prevent SQLi, XSS, Clickjacking, CSRF..See the OWASP top 10 vulnerabilities.
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

There is also WPfence which is worth considering and they have been active on the securing the wordpress as main core outcome..see the checklist recommended.
https://www.wordfence.com/learn/wordpress-security-checklist/

Separately have surcuri sitecheck to maintain the site posture to actively discovered any potential holes in the site..in fact, they can even help you to monitor and may be good to prevent possible defacement..
https://sitecheck.sucuri.net//

There are more like data leakage prevention to work with web appl FW, audit trails to monitor etc but I should say to focus on a/m to ascertain the baseline before delving too deep and getting small wins first instead of a big bang revamp...
Jason C. LevineDon't talk to me.Commented:
All of the above is fantastic advice and if you really want to spend a lot of time and effort learning this stuff, you will greatly enhance your employment prospects as well as expertly securing your sites.

However, if it all looks and sounds like technobabble, then you need to take slightly different steps to secure your site from the hosting forward. In this case, you will want to move your site to a company that specializes is WordPress hosting and also handles your security, backups, and restores for you. The best known of the bunch is currently WPEngine and they will take responsibility for your security, backups, site speed, and more.  There are others, so do your research.
btanExec ConsultantCommented:
Agree with all good sharing. The objective is to help customer or end user appreciate the real 'needs' compared to the 'wants'.

For the internal for the site (more of housekeeping diligence), focus on the hosting and secure coding to set the baseline for getting the first time right on what the service and vendor providers should do. Those checks serves as expected outcome as part of the security acceptances. Even if the codes are from inhouse team, there should be some form of development practices for defensive coding. The hardening of the server and application is the must have and already to be part of baseline.

For the perimeter for the site (more of external front end "fight" to settle before reaching internal), focus on the aspect of considering services like cloudflare, akamai on a ddos. protection standpoint which also covers the WAF shared earlier. Such service does not change anything at backend codes though there may be some tuning expected to be done for the false positives.
Jophiel SilvestroneCEO/ Web DeveloperCommented:
The Securi plugin: https://wordpress.org/plugins/sucuri-scanner/ is one of the best sandboxes for preventing any threats getting into your WordPress site. Also, WordFence is pretty good as well: https://wordpress.org/plugins/wordfence/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
WordPress

From novice to tech pro — start learning today.