Hi, a new question from Newbie RW (who no longer manages his own web server directly and goes through a webhost like everyone else), do many of you use it regularly for your sites and/or those of their customers security suites (like sitelock, Sucuri or Cloudflare)? Is this a necessity today to hope to avoid the unfortunate hack?
I use a combination of my own servers that I do on going security audits as well as a hosting I have a very trusted webhost.
biggest thing in security I have found with websites is Wordpress there is a lot of care and extra effort that needs to be put in place or it will get hacked and its nothing to do with the hosting company or the servers. Wordpress is a nightmare to keep secure it’s just security wholes in that system.
1 Like
There’s a lot of armchair experts who dream-up a fantasy of [insert CMS name here] being overly porous from a security aspect.
Let’s not ignore the fact that a number of web folk who started their careers here with RapidWeaver have moved on to become highly successful agencies. Many of them have transitioned into the WordPress eco-system, as it’s what a lot of smaller businesses want. If I present a handful of CMS platforms to a new client to choose from, they nearly always pick WordPress, as they prefer the Gutenberg editor over everything else they try.
I have never had a WordPress website I’ve built for myself or a client get hacked in the 18 years I’ve been doing this. I have been contracted to fix hacked WordPress websites for clients, mostly through referrals. However I’ve never seen one of my own WordPress deployments get hacked under my watch.
- I always use really strong passwords for WordPress / MySQL and enable 2-factor authentication.
- I switch off the code editor in WordPress admin, so any theme or function.php changes can only be done externally over SFTP.
- I secretly switch the default location of the WordPress login page to something other than example.com/login/, example.com/admin/ or example.com/wp-admin.php.
- I have a special snippet of code I add to functions.php, which blocks IP addresses on the third failed login attempt.
- I tend to build “semi-headless” WordPress sites; meaning I use the underlying WordPress CMS engine and admin interface, but build all my own themes, plugins and Gutenberg blocks on top.
- I only use third-party plugins very sparingly from highly trusted sources, like the Backuply plugin from Softaculous.
- I only use the WordPress database for WordPress itself. I have things like contact forms, shopping carts and newsletter signups use their own databases elsewhere.
- I disable features like commenting, emojis, user registrations, pingbacks, and anything else the client doesn’t need.
- I never publish anything that isn’t protected with an SSL certificate.
- I use quality web hosting providers (like Chillidog Hosting) who keep things secured, monitored and updated on their servers.
The takeaway here? A lot of what I list here is common-sense best practices and simple things applicable to any CMS you are using. Either inside RapidWeaver or elsewhere. I start with everything locked-down, in the same way the UNIX architecture functions. I only unlock the bare minimum features on an “as required” basis. Just enough for the website to function, on the front and backends.
I would say that the people who are routinely taking a jibe at WordPress security or having WordPress websites hacked possibly haven’t experimented with modern WordPress in the past 5 years or are perhaps lacking the expertise to oversee the safe deployment of a website. This is where it could pay dividends to call upon the skills of somebody more knowledgeable in this field. 
Services like CloudFlare - I have used it in some websites to add an extra layer of defence against Russian and Chinese hackers (one notable example being a website for somebody high in the political world who was getting a ton of DDoS attacks). CloudFlare does free SSL certificates and their CDN options work great for heavier multimedia websites. But for an average website, I don’t tend to see a need for CloudFlare or others. As this week in technology has demonstrated, sometimes fewer moving parts and reduced dependencies on other companies can be a good thing. 
2 Likes
@willwood Hi, thank you very much for this detailed response. I’ve been thinking about it since someone told me about it in their last email . It’s always tempting to add another option for safety’s sake. And I love to learn, make me feel like I’m still at school, high of course 
So that rookies limit risk in-depth hosting has an active app that know all the ways Wordpress can be hacked even with a plugin that may or may not have issues that on the server side locks down folders and files in Wordpress if you need to unlock things you are given an app to unlock things for time frame that allows the admin to make changes. you can then lock your site when done with updates or it will lock automatically after 15 minutes thats on top of the suggested best practices.
It really depends on the hosting provider on how they help you in mitigating the risk of being hacked.
1 Like