The Complete Checklist for WordPress Security Leaders

Automattic, the parent company to WPScan, hosts many of the biggest websites on the web, and security is one of our highest priorities. What follows is our checklist for security leaders. 

Turin, Italy

Best Practices for Your WordPress Website

Essential Tips for WordPress Plugin Security

Sopelana, Pais Vasco

General Password Hygiene

Sexten, Italy
  • Never give your password, passphrase, or passcode to anyone else, no matter how nicely they ask or their familial or romantic status.
  • No two passwords should ever be the same – even if they are “throwaway” passwords.
  • To manage most passwords, you should use a password manager. 1Password and LastPass are two we recommend. LastPass has some cool features, but 1Password has an infinitely better design.
  • For the few passwords that you need to remember (OS X, your password manager, etc.), use long passphrases: at least four words (chosen randomly), with a few special characters, spaces, uppercase/lowercase, etc. One example: Copy indicate 48 Trap bright. If you want to be extra safe, increase the number of symbols, numbers, and capital letters: Copy indicate 48 Trap (#) bright. Just don’t make it so inconvenient that you’ll later get frustrated and change it to something that’s too simple.
  • For passwords stored in a password manager, generate them with the maximum length, and include numbers/symbols. For example, =pXFR>9qEzP%7PaQR6r9Z)R76LcWKztAa3;pD9BRpmB6sXu8,pWT=sy%b&pbV]xe. Since the password manager fills them in for you, it’s just as convenient as a shorter, less-random password, but exponentially stronger.
  • Passwords and passphrases should not be constructed from known phrases. For example, Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1. is a bad password even though it has varying capitalization, punctuation, spaces, and excellent length. That password was cracked in minutes because it was a known fictional phrase from the H.P. Lovecraft short story The Call of Cthulhu. Avoid all known phrases, as these are likely to be on or will be on a password-cracking word list.
  • Do not store the 1Password file in Dropbox or any other online service unless you have enabled two-step authentication for that service and your 1Password file has a very strong master password. The safest thing to do is to make a local backup in case your computer is damaged or lost, but we understand that syncing to multiple devices is very handy.
  • Do not store any passwords in a Google Doc or other online service, even if you have enabled two-step authentication. Again, use a password manager to secure your passwords.

Web Security Guidelines

Pantín, Galicia, Spain

Computer Security Recommendations

Cesena, Italy
  • Set a system passphrase (at least four random words, and a few numbers/symbols) on your computer — even if it is a desktop, and you live by yourself. Make sure the password is required to wake from sleep or from the screensaver.
  • Never leave your laptop unlocked and unattended. Always lock the screen before you walk away. Have the screensaver turn on in 15 minutes or less. You can configure a shortcut to enable the screensaver, which you should do whenever you walk away from your computer.
  • Encrypt your hard drive. You can use FileVault on OS X, and BitLocker or VeraCrypt on Windows. VeraCrypt could show an error – Windows not installed on the drive from which it boots, in which case you could follow this tutorial – How to Remove the Windows “System Reserved” Partition. The easier route would be to buy Windows 10 Pro, if you do not have it already, and use BitLocker. Microsoft Surface devices and some other brands are also encrypted by default. On Linux systems, encryption is usually offered when you install your system, but if you’ve already installed then you will probably need to re-install it.
  • Make sure your backups are encrypted. Here’s how on OS X Time Machine.
  • Install and run antivirus software with the latest virus definitions. Microsoft Security Essentials is good for Windows 7 (it’s built into Windows 8 and up under the name Windows Defender) and for OS X we recommend Avira, ClamXAV, or Sophos (in that order). All are free!
    • While you should run antivirus software, we recommend you don’t use their browser extensions due to concerns raised about these extensions compromising browser security and some privacy implications.
  • Turn on your firewall.
Sikeston, MO, USA
  • Consider running a “reverse firewall” like Little Snitch; it’s noisy at first, but then gets quieter as you set up your rules.
  • After you have set up two-factor for your Apple account, you should turn on Find My Mac to allow your device to be remotely locked and wiped if the need ever arises.
  • Make sure your home router firmware is current, and you aren’t using the default password. Also, review any port forwarding settings to make sure they are all needed and expected. Remove anything you aren’t currently using. Upgrading your router firmware may delete your connection setting, so have those settings ready to avoid downtime. (We have seen hacked routers, which means they can capture your traffic.)
  • Be careful when using wireless keyboards and mice, because they have a history of being vulnerable to various attacks. Check to make sure your devices are using strong encryption (like Bluetooth or AES), and don’t have any known vulnerabilities. To be extra safe, it’s probably best to avoid using them in any environment where an attacker could potentially intercept the wireless signals, like a coffee shop, co-working space, or conference.
  • If you plan to co-work or work in public spaces, we recommend a privacy screen as a best practice to prevent others from seeing sensitive information on your screen.

Guidelines for Phones and Tablets

New York City subway

Phew. That’s it. Did we miss anything? Please leave a comment with any other WordPress security advice.

Leave a Reply