Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

WordPress/WooCommerce security best practices?

I am about to launch a WordPress website that uses WooCommerce, and need to learn what things I need to change from the defaults, in order to make the site as secure as WordPress & WooCommerce allow.

Suggestions?

I use SSL certificate and have HTTPS in the URL. I have a few domains pointing to this site and the one URL always takes over, and uses that single SSL certificate. Any possible exposures here?

Also, what about using the Admin username for daily updates? This seems like bad practice. But if I go an create a user for myself and use a comma first name, that seems like another easy one to target. Plus, if I have harder to guess username, Admin is still expose and has all the rights.

Suggestions about username security?

What about backing up the data? I honestly have no experience with developing on WordPress, and had someone program the site to my requirements. Since this is hosted on AWS, what steps must I take to back up the database?

Also, I have expressed the requirement the passwords use a hashing algorithm and can not be backwards generated, and told that a hashing algorithm is being used, making it impossible for a hacker to reverse engineer all the passwords.

Please provide me any additional advice you have on locking this down.

And what kinds of outside services, or WordPress plugins, could help me get notified if there is an intrusion attempt or the site is down?

Thanks.
0
newbieweb
Asked:
newbieweb
1 Solution
 
btanExec ConsultantCommented:
Start with basic hardening as baseline

-Reviews and patches of security threats like core WordPress bugs, plugin exploits, and so on.
-Maintain up-to-date server software (using the most recent versions of PHP, etc.) include locking down your site’s sensitive directories via FTP by limiting the write access on these directories
-Pick secure passwords for any and all accounts associated with your store. See
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
(note that since the release of version 2.5 of WooCommerce too)
-Enable two-factor authentication (2FA) on all (ideally otherwise go for privileged users) accounts e.g having another OTP passcode received in our smartphone — to validate logins and verify that you are the owner of any given account.


For SSL, do not use weak cipher such as TLS1.0 and below. Go for TLS 1.2 ang SHA256, and enabled PFS. Check websote with SSLtest from Qualys. Get your SSL cert from 3rd party CA like DigiCert or GoDaddy or GeoTrust that will cover the domain of the website. Avoid self signed SSL certs and if possible go for Extended Validation SSL Certificate.
https://www.ssllabs.com/ssltest/


For backup at AWS, consider having it like S3bubble plugin. Sites can get hacked, you could accidentally delete something vital, and crashes happen more often than you think. There is even Ransomware locking out users and owner from accessing rhe website.
https://wordpress.org/plugins/s3bubble-amazon-s3-backup/


Security add on
- Jetpack Protect to limit the number of times anyone can unsuccessfully attempt to log into your store before their IP address is blocked
- WordFence gives you real-time visibility into traffic and hack attempts on your website
- All In One WordPress Security plugin to reduce security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
0
 
newbiewebAuthor Commented:
Wow! I think I need to hire a security expert. Thanks for the help.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now