Solved

WordPress/WooCommerce security best practices?

Posted on 2016-08-06
2
91 Views
Last Modified: 2016-08-06
I am about to launch a WordPress website that uses WooCommerce, and need to learn what things I need to change from the defaults, in order to make the site as secure as WordPress & WooCommerce allow.

Suggestions?

I use SSL certificate and have HTTPS in the URL. I have a few domains pointing to this site and the one URL always takes over, and uses that single SSL certificate. Any possible exposures here?

Also, what about using the Admin username for daily updates? This seems like bad practice. But if I go an create a user for myself and use a comma first name, that seems like another easy one to target. Plus, if I have harder to guess username, Admin is still expose and has all the rights.

Suggestions about username security?

What about backing up the data? I honestly have no experience with developing on WordPress, and had someone program the site to my requirements. Since this is hosted on AWS, what steps must I take to back up the database?

Also, I have expressed the requirement the passwords use a hashing algorithm and can not be backwards generated, and told that a hashing algorithm is being used, making it impossible for a hacker to reverse engineer all the passwords.

Please provide me any additional advice you have on locking this down.

And what kinds of outside services, or WordPress plugins, could help me get notified if there is an intrusion attempt or the site is down?

Thanks.
0
Comment
Question by:newbieweb
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41745874
Start with basic hardening as baseline

-Reviews and patches of security threats like core WordPress bugs, plugin exploits, and so on.
-Maintain up-to-date server software (using the most recent versions of PHP, etc.) include locking down your site’s sensitive directories via FTP by limiting the write access on these directories
-Pick secure passwords for any and all accounts associated with your store. See
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
(note that since the release of version 2.5 of WooCommerce too)
-Enable two-factor authentication (2FA) on all (ideally otherwise go for privileged users) accounts e.g having another OTP passcode received in our smartphone — to validate logins and verify that you are the owner of any given account.


For SSL, do not use weak cipher such as TLS1.0 and below. Go for TLS 1.2 ang SHA256, and enabled PFS. Check websote with SSLtest from Qualys. Get your SSL cert from 3rd party CA like DigiCert or GoDaddy or GeoTrust that will cover the domain of the website. Avoid self signed SSL certs and if possible go for Extended Validation SSL Certificate.
https://www.ssllabs.com/ssltest/


For backup at AWS, consider having it like S3bubble plugin. Sites can get hacked, you could accidentally delete something vital, and crashes happen more often than you think. There is even Ransomware locking out users and owner from accessing rhe website.
https://wordpress.org/plugins/s3bubble-amazon-s3-backup/


Security add on
- Jetpack Protect to limit the number of times anyone can unsuccessfully attempt to log into your store before their IP address is blocked
- WordFence gives you real-time visibility into traffic and hack attempts on your website
- All In One WordPress Security plugin to reduce security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
0
 

Author Closing Comment

by:newbieweb
ID: 41745875
Wow! I think I need to hire a security expert. Thanks for the help.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question