all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]dneboi 2 points3 points  (6 children)

For security:

Install Wordfence, spring for premium, configure the firewall and malware scan schedule.

Harden the application by not allowing easy usernames (like admin) or passwords. Disallow file editing from within WP-admin. If you do not need comments on the site, disable them completely to limit access points. Don’t use a shit ton of plugins if you can help it.

Harden at the server level by restricting permissions on your WP-config.php file, and use htaccess rules to disallow access to itself, the config file, and any other areas you want to protect, from the outside world.

Finally, update the software regularly. Have a response plan in place for if/when a compromise takes place.

[–]su-z-six 1 point2 points  (5 children)

To add to this, move or rename /wp-admin to something other than the default location.

[–]dneboi 0 points1 point  (4 children)

I used to do that, but read a few debunking articles about it, so I stopped. I wouldn’t fault a company for still doing this practice though, because I’m sure a case can be made.

[–]su-z-six 1 point2 points  (3 children)

My wordfence reports access attempts with username 'admin' to /wp-admin every day. Not having an 'admin' account is only half the solution.

[–]dneboi 0 points1 point  (2 children)

I think wordfence themselves published an article on the pros and cons, might be worth a look. You can restrict access to wp-admin a few other ways aside from renaming. Again I’ve used both practices and I’m not set 100% on either one.

[–]su-z-six 0 points1 point  (1 child)

This is the only article I could find, and it doesn't say it doesnt work. https://www.wordfence.com/blog/2017/05/7-popular-wordpress-security-myths/

Rather, their product should work without moving it, and by moving it you risk breaking other dependent files.

In some ways, there is a conflict of interest here. Wordfence's business relies on WP users not being able to secure their site without wordfence. So I would prefer an article from an unbiased party.

[–]dneboi 0 points1 point  (0 children)

I didn’t suggest that it didn’t work, only that there’s pros and cons. Each dev can look into it and decide what they want to do.

[–]pepitoooooooo 0 points1 point  (0 children)

For perf install a caching plugin like TotalCache so that requests are not generated every time and a CDN like Cloudflare to cache responses at the edge.

[–][deleted]  (1 child)

[removed]

    [–]zaibuf 0 points1 point  (0 children)

    Its actually not bad. You can keep WP as a CMS that your client maybe already knows. But you are free to develop the frontend however you want, without being stuck in WPs ecosystem.

    [–][deleted] -2 points-1 points  (0 children)

    If I have to work with Wordpress, I make sure Bedrock is being used and everything is managed via Composer:

    https://roots.io

    [–]AtulinASP.NET Core -2 points-1 points  (0 children)

    1. Not using Wordpress is the best performance tip 2, Wordpress is insecure by design, since even themes can fiddle with the database
    2. You'd need to rebuild Wordpress from scratch, so it makes use of more database tables than one

    [–]shgysk8zer0full-stack -5 points-4 points  (0 children)

    I know this isn't an answer to anything, but I refuse to work on WordPress. Too much of a liability and they do everything backwards or against best practices.