Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

WordPress/WooCommerce security best practices?

Posted on 2016-08-06
2
Medium Priority
?
183 Views
Last Modified: 2016-08-06
I am about to launch a WordPress website that uses WooCommerce, and need to learn what things I need to change from the defaults, in order to make the site as secure as WordPress & WooCommerce allow.

Suggestions?

I use SSL certificate and have HTTPS in the URL. I have a few domains pointing to this site and the one URL always takes over, and uses that single SSL certificate. Any possible exposures here?

Also, what about using the Admin username for daily updates? This seems like bad practice. But if I go an create a user for myself and use a comma first name, that seems like another easy one to target. Plus, if I have harder to guess username, Admin is still expose and has all the rights.

Suggestions about username security?

What about backing up the data? I honestly have no experience with developing on WordPress, and had someone program the site to my requirements. Since this is hosted on AWS, what steps must I take to back up the database?

Also, I have expressed the requirement the passwords use a hashing algorithm and can not be backwards generated, and told that a hashing algorithm is being used, making it impossible for a hacker to reverse engineer all the passwords.

Please provide me any additional advice you have on locking this down.

And what kinds of outside services, or WordPress plugins, could help me get notified if there is an intrusion attempt or the site is down?

Thanks.
0
Comment
Question by:newbieweb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41745874
Start with basic hardening as baseline

-Reviews and patches of security threats like core WordPress bugs, plugin exploits, and so on.
-Maintain up-to-date server software (using the most recent versions of PHP, etc.) include locking down your site’s sensitive directories via FTP by limiting the write access on these directories
-Pick secure passwords for any and all accounts associated with your store. See
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
(note that since the release of version 2.5 of WooCommerce too)
-Enable two-factor authentication (2FA) on all (ideally otherwise go for privileged users) accounts e.g having another OTP passcode received in our smartphone — to validate logins and verify that you are the owner of any given account.


For SSL, do not use weak cipher such as TLS1.0 and below. Go for TLS 1.2 ang SHA256, and enabled PFS. Check websote with SSLtest from Qualys. Get your SSL cert from 3rd party CA like DigiCert or GoDaddy or GeoTrust that will cover the domain of the website. Avoid self signed SSL certs and if possible go for Extended Validation SSL Certificate.
https://www.ssllabs.com/ssltest/


For backup at AWS, consider having it like S3bubble plugin. Sites can get hacked, you could accidentally delete something vital, and crashes happen more often than you think. There is even Ransomware locking out users and owner from accessing rhe website.
https://wordpress.org/plugins/s3bubble-amazon-s3-backup/


Security add on
- Jetpack Protect to limit the number of times anyone can unsuccessfully attempt to log into your store before their IP address is blocked
- WordFence gives you real-time visibility into traffic and hack attempts on your website
- All In One WordPress Security plugin to reduce security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
0
 

Author Closing Comment

by:newbieweb
ID: 41745875
Wow! I think I need to hire a security expert. Thanks for the help.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
The online market is growing at an unprecedented rate and retail eCommerce sales are expected to reach $4 trillion by 2020. Yet, the profit is not just there for the taking because you have to set yourself apart from the competition.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question