Solved

WordPress/WooCommerce security best practices?

Posted on 2016-08-06
2
133 Views
Last Modified: 2016-08-06
I am about to launch a WordPress website that uses WooCommerce, and need to learn what things I need to change from the defaults, in order to make the site as secure as WordPress & WooCommerce allow.

Suggestions?

I use SSL certificate and have HTTPS in the URL. I have a few domains pointing to this site and the one URL always takes over, and uses that single SSL certificate. Any possible exposures here?

Also, what about using the Admin username for daily updates? This seems like bad practice. But if I go an create a user for myself and use a comma first name, that seems like another easy one to target. Plus, if I have harder to guess username, Admin is still expose and has all the rights.

Suggestions about username security?

What about backing up the data? I honestly have no experience with developing on WordPress, and had someone program the site to my requirements. Since this is hosted on AWS, what steps must I take to back up the database?

Also, I have expressed the requirement the passwords use a hashing algorithm and can not be backwards generated, and told that a hashing algorithm is being used, making it impossible for a hacker to reverse engineer all the passwords.

Please provide me any additional advice you have on locking this down.

And what kinds of outside services, or WordPress plugins, could help me get notified if there is an intrusion attempt or the site is down?

Thanks.
0
Comment
Question by:newbieweb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 41745874
Start with basic hardening as baseline

-Reviews and patches of security threats like core WordPress bugs, plugin exploits, and so on.
-Maintain up-to-date server software (using the most recent versions of PHP, etc.) include locking down your site’s sensitive directories via FTP by limiting the write access on these directories
-Pick secure passwords for any and all accounts associated with your store. See
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
(note that since the release of version 2.5 of WooCommerce too)
-Enable two-factor authentication (2FA) on all (ideally otherwise go for privileged users) accounts e.g having another OTP passcode received in our smartphone — to validate logins and verify that you are the owner of any given account.


For SSL, do not use weak cipher such as TLS1.0 and below. Go for TLS 1.2 ang SHA256, and enabled PFS. Check websote with SSLtest from Qualys. Get your SSL cert from 3rd party CA like DigiCert or GoDaddy or GeoTrust that will cover the domain of the website. Avoid self signed SSL certs and if possible go for Extended Validation SSL Certificate.
https://www.ssllabs.com/ssltest/


For backup at AWS, consider having it like S3bubble plugin. Sites can get hacked, you could accidentally delete something vital, and crashes happen more often than you think. There is even Ransomware locking out users and owner from accessing rhe website.
https://wordpress.org/plugins/s3bubble-amazon-s3-backup/


Security add on
- Jetpack Protect to limit the number of times anyone can unsuccessfully attempt to log into your store before their IP address is blocked
- WordFence gives you real-time visibility into traffic and hack attempts on your website
- All In One WordPress Security plugin to reduce security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
0
 

Author Closing Comment

by:newbieweb
ID: 41745875
Wow! I think I need to hire a security expert. Thanks for the help.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question