My checklist for websites on managed WorPress hosting platforms is much shorter and different than what would be for a self hosted WP websites. Some checklist items for self hosted WP become anti-patterns when it comes to managed hosting, since these are already done in well configured hosting platforms such as Pantheon.io, WP Engine, SiteGround and others.
The following checklists and modifications are my personal opinions on how to increase the level of security of your website. They are in no shape or form related to the WordPress hosting platforms mentioned in the blog post. The plugins and configurations mentioned in this blog post may break your website if you are not following the correct setup guide put forward by the plugin developers, always do your research and check with the original plugin developer to see if the plugin will suit your needs. And as always! be sure to do a complete backup of your WordPress installation before you add any modifications.
I have two short lists for you when it comes to Managed hosting platforms
A – would be something we would apply during development, I do not recommend doing these pre-launch since they need testing and configurations.
B– is just a short to-do list for final checks before launch, narrowed down to items that would apply for managed hosting platforms
A) General Security add-ons for sites hosted on managed platform.
!Warning: These should not be done right before launch, these should have been done during the development process, they may have a slight chance of breaking your website and/or altering user work flow.
1. Add Jetpack Plugin (https://wordpress.org/plugins/jetpack/) turn on capability for
- Brute-force attack protection,
– spam filtering,
– secure login, with optional two-factor authentication.
2. If you have limited amount of users consider hiding your Login page by adding WPS Hide Login (https://wordpress.org/plugins/wps-hide-login/)
This sets your login page to a custom URL of your choosing, ex: www.yourwebsite.com/my-cutsom-login-page
be sure to remember the URL you set up.
- have this feature well tested out
3. Consider adding a plugin that performs regular auditing and malware scanning such as Sucuri (https://wordpress.org/plugins/sucuri-scanner/) OR “iThemes Security”
- Take your time and configure it to your custom needs. These types of plug-ins may impact your performance based on how you configure it and how your server is configured.
4. If you are not using services that require remote procedure call aka. XML-RPC (such as remote editing or IFTTT) consider disabling it, by code or by adding the Disable XML-RPC module https://wordpress.org/plugins/disable-xml-rpc/
5. Conside adding reCaptcha to your login form to further protect your login area. you can do this by using plugins such as Google Captcha (reCAPTCHA) by BestWebSoft https://wordpress.org/plugins/google-captcha/ and adding the necessary API keys.
B) Pre-Launch Security Checklist
- Turn off all unused plugins.
- Remove all Unused plugins.
- Update WP Core to latest version, and perform test to see if your site was affected in any way.
- Update all your plugins to their latest version, and perform test to see if your site was affected in any way.
- Check for randomness of reset password token in the emailed link or SMS, to see if your site was compromised during development. This check can be done regularly.
- Set up daily backups, to be kept for at-least 30 days, some hosting platform like WpEngine may already have this set up by default.
- Be sure that your web host is set up to use HTTPS everywhere.
- Be sure that your WP top level admin username is not “admin”, if so create a new top level admin and delete the old one.
- Check if File Editing is disabled under “Appearance > Theme Editor” in the admin interface. Some Hosting companies disable this by default. If not disabled add
define( 'DISALLOW_FILE_EDIT', true );
to your wp-config.php - Regenerate passwords of all admin and other high level users, use WP built in password Generator and indicator or online generators such as https://strongpasswordgenerator.com/
I hope this helped, Cheers!