Some thoughts on best online/WordPress security practices

A couple of weeks ago, I posted on my blog over at The WP Butler above how to stay secure online without pulling your hair out. The post was more generic about keeping your data secure online, but it made me think about some best practices for WordPress site owners and developers, which I thought I’d share here. I’d welcome any input of what other things you do to help stay secure.

Stop using FTP

As a site owner, and especially as a developer, you have to stop using FTP as a means to do anything online. FTP transfers everything in the clear, including your password, so anyone snooping can very easily get access to your server and do as they please. All of your connections should be secured using SFTP (not FTPS). Or connect directly using SSH (though this can be a bit daunting if you’re not used to using a command line).


I mentioned it in my original post, but there is no excuse for using weak, or recycled passwords. All of your passwords must be original, long and strong. Use a tool like 1Password to take all of the hard work out of the process for you, including the remembering part.

If you ever send, or are sent a password by email, change it straight away. The only written record of your password (including paper copies and electronic copies [extends to emails]) should be in your password vault, so change it as soon as you log in.

Since you likely have an admin account on your clients’ sites, you owe it to them to be as secure as possible, as it’s a potential security nightmare if someone accesses the site with your account. Use extremely strong passwords: no excuses.

Two-factor authentication

With so many offerings for two-factor authentication within WordPress, you should really enable it on your own sites, and encourage your clients to do the same. See the post at The WP Butler for some of my recommended plugins for enabling 2-factor authentication on WordPress.

Root access

If your client has a VPS or dedicated server, encourage them (or force their hand if you’re setting it up) to remove the root user, change the SSH port and disable password authentication.

Encrypt your net traffic

I’ve made the decision to encrypt all of my net traffic by using a VPN connection, more specifically, an OpenVPN encryption through Private Internet Access. That way, when I’m accessing a client site, even if they don’t have SSL encryption, my traffic is still encrypted, adding another layer of security.

What else?

So there’s a few of the ways that I try and protect myself and my clients online. What additional measures do you take for yourself or for your clients?

Read the original post at The WP Butler

Leave a Reply