Solved

WordPress/WooCommerce security best practices?

Posted on 2016-08-06
2
67 Views
Last Modified: 2016-08-06
I am about to launch a WordPress website that uses WooCommerce, and need to learn what things I need to change from the defaults, in order to make the site as secure as WordPress & WooCommerce allow.

Suggestions?

I use SSL certificate and have HTTPS in the URL. I have a few domains pointing to this site and the one URL always takes over, and uses that single SSL certificate. Any possible exposures here?

Also, what about using the Admin username for daily updates? This seems like bad practice. But if I go an create a user for myself and use a comma first name, that seems like another easy one to target. Plus, if I have harder to guess username, Admin is still expose and has all the rights.

Suggestions about username security?

What about backing up the data? I honestly have no experience with developing on WordPress, and had someone program the site to my requirements. Since this is hosted on AWS, what steps must I take to back up the database?

Also, I have expressed the requirement the passwords use a hashing algorithm and can not be backwards generated, and told that a hashing algorithm is being used, making it impossible for a hacker to reverse engineer all the passwords.

Please provide me any additional advice you have on locking this down.

And what kinds of outside services, or WordPress plugins, could help me get notified if there is an intrusion attempt or the site is down?

Thanks.
0
Comment
Question by:newbieweb
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41745874
Start with basic hardening as baseline

-Reviews and patches of security threats like core WordPress bugs, plugin exploits, and so on.
-Maintain up-to-date server software (using the most recent versions of PHP, etc.) include locking down your site’s sensitive directories via FTP by limiting the write access on these directories
-Pick secure passwords for any and all accounts associated with your store. See
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
(note that since the release of version 2.5 of WooCommerce too)
-Enable two-factor authentication (2FA) on all (ideally otherwise go for privileged users) accounts e.g having another OTP passcode received in our smartphone — to validate logins and verify that you are the owner of any given account.


For SSL, do not use weak cipher such as TLS1.0 and below. Go for TLS 1.2 ang SHA256, and enabled PFS. Check websote with SSLtest from Qualys. Get your SSL cert from 3rd party CA like DigiCert or GoDaddy or GeoTrust that will cover the domain of the website. Avoid self signed SSL certs and if possible go for Extended Validation SSL Certificate.
https://www.ssllabs.com/ssltest/


For backup at AWS, consider having it like S3bubble plugin. Sites can get hacked, you could accidentally delete something vital, and crashes happen more often than you think. There is even Ransomware locking out users and owner from accessing rhe website.
https://wordpress.org/plugins/s3bubble-amazon-s3-backup/


Security add on
- Jetpack Protect to limit the number of times anyone can unsuccessfully attempt to log into your store before their IP address is blocked
- WordFence gives you real-time visibility into traffic and hack attempts on your website
- All In One WordPress Security plugin to reduce security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
0
 

Author Closing Comment

by:newbieweb
ID: 41745875
Wow! I think I need to hire a security expert. Thanks for the help.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…
The purpose of this video is to demonstrate how to set up the permalinks on a WordPress Website. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Go t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now