140 What Are the Best Practices For WordPress Security?

In this WP-Tonic round-table we look at WordPress and security with an excellent panel of WordPress community experts. Our panel this week: Brian Jackson from https://woorkup.com/ and https://kinsta.com/ Sallie Goetsch from https://wpfangirl.com/ Jackie D'Elia from https://jackiedelia.com/ Jonathan Denwood from https://www.wp-tonic.com/ John Locke from Lockedown SEO Episode 140 Table of Contents 0:00 Podcast intros 1:50 WordPress Security – 18+ Steps to Lock Down Your Site https://kinsta.com/blog/wordpress-security 3:12 Learning From Buggy WordPress Wp-login Malware https://blog.sucuri.net/2016/10/learning-buggy-wordpress-wp-login-malware.html 6:49 Updating your WordPress plugins is one of the most important things you can do 10:22 Test all plugin and theme updates on a staging server 12:25 Surviving Electmageddon: Protecting against a wave of DNS outages https://www.wordfence.com/blog/2016/11/surviving-electmageddon-protecting-wave-dns-outages/ (DDoS attacks and advantages of having a secondary DNS server) 17:34 Securing WordPress from the Start https://ithemes.com/2016/11/02/securing-wordpress/ 21:29 It's a good idea to have redundant backups for your website. You can't have enough of these. 24:35 What is one WordPress security tip that you should use right from the start? 25:48 Brian has a story about what sort of long-lasting damage to your SEO a single hack can produce. 27:20 Cleaning Up a Massive Negative SEO Attack with Web CEO https://woorkup.com/cleaning-negative-seo-attack-web-ceo/ 29:52 Changing the default login URL can prevent automated attacks. Also, always use strong passwords. 31:11 Always check your code for hidden backlinks to spam sites. 32: 35 We discuss Negative SEO. 33:12 Linkpocalypse Now – The Horror of Negative SEO http://www.jacobking.com/negative-seo-truth 35:05 Limit the login attempts people can make to prevent a brute force attack. Consider two-factor authentication for logins. 36:16 Deactivate and delete any themes and plugins you're not using. Don't use the automatic WordPress install scripts that your hosting company provides. 38:24 Many people use weak passwords, and that's why they get hacked. 40:37 Install an audit log so you can see what activity is happening on your site. Clients will often be freaked out by how often the site is scanned. 42:25 Don't use themes where plugins are bundled into the theme (like on ThemeForest) https://www.lockedownseo.com/why-we-shouldnt-bundle-wordpress-plugins-in-themes/ 43:37 Do not allow everyone on your site to have Administrator access 46:15 XML-RPC: What is it? Why should you limit it's use? HOw do hackers use it? 49:03 Be careful about using public Wi-Fi to FTP or login to your site. Always use HTTPS on your site to encrypt your password when logging in publicly. 52:01 Use a vir