Moving beyond the theoretical, we take the concepts presented above and provide a list of actions you can take as a website administer to harden and improve your security posture:
- Limit access: Reduce the number of people who have administrative access to your WordPress site to a minimum. You should also reduce the number of possible entry points to a minimum. You can do this by only installing web applications that you need and use. Remove any unused plugins and themes. These follows the principle of least privilege and provides administrative and logical controls to help preserve confidentiality, availability and integrity.
- Functional Isolation: Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised. Where possible, avoid having a large number of diverse web applications on a single hosting account. Logical separation of applications into separate accounts with their own access will confine a compromise to that one account and reduce damage.
- Backups: Maintain reliable backups. You should occasionally verify the integrity of backups to make sure that you can restore your website if it is damaged. Have a plan to recover your website if it is compromised and document this plan. A good guide can be found WordPress Backups
- Stay Up-to-Date: Do your best to stay up-to-date with your WordPress installation, including plugins and themes. You should put an administrative control in place that requires a check, with some frequency, that status of your site and it's extensible components.
- Trusted Sources: Do not get plugins/themes from sources that are not trusted. Googling for a free version of a premium plugin is a recipe for disaster. Malicious people and organizations distribute what is known as 'nulled' plugins and themes which contain malicious code that will extend the premium plugin, but bundle it with malware.
- Security Updates and News: Security vulnerabilities is something that affects all software, WordPress is no different. To stay current, we recommend subscribing to the vulnerability database maintained by WPVulnDB.com. You can also stay ahead of the latest trends following WordPress's own Security tag.
