KEEP THINGS UPDATED–all plugins (and the WordPress core) should be kept up-to-date. This means checking on a weekly basis at the very least, and/or using a service like JetPack or Infinite WordPress to help.
Disable comments unless your site is actively moderated.
Disable registration unless your site needs to support public signup.
Minimize plugin use–every plugin on your site comes with its own vulnerabilities. If you can use a few lines of code instead of an additional plugin, that’s a better choice.
Make sure that all the plugins you use are regularly maintained; things that have gone “stale” are not safe.
Make sure that you (or your client, or NAD) own licenses for any premium plugins you use. Check with NAD ITS before purchasing; they may already own a license that will cover the use of things like Gravity Forms or Advanced Custom Fields.
Change the default WordPress file structure by renaming your plugins and wp-content directories. Detailed directions [HERE]
Use a security plugin like iThemes Security. Set it up to do the following (all possible under the free version), or find some other way to make sure that. . .
Insecure requests (http) are redirected to secure ones (https)
Directory browsing is disabled
php is disabled in the uploads folder
There is no user with ID of 1; there is no user with username “admin”
There is some sort of log/record of user activity
Login requires the use of email only, not email or username (WordPress default)
Brute force lockouts are in place
XML-RPC is disabled (IMPORTANT!!!)
The default routes to the WordPress backend are hidden; [url]/wp-admin/ doesn’t take you to a login page, nor does [url]/login.php
Implement a CAPTCHA or other spam protection on all publicly-accessible forms; further restricting them to reject entries containing html and links is also a good idea. Make sure that all comment/message fields have a limited number of characters.
Never edit any files in the WordPress core.
Never edit any files in a packaged theme (even ALPS); if you need to customize beyond the theme’s available options or override its styles, create a child theme.
Make sure that all scripts and stylesheets are properly enqueued via custom/child themes or plugins.
This does not include things like jQuery or FontAwesome. JQuery is enqueued by default, and the current best practice for FontAwesome is to use their plugin, rather than CDN loading.
Many modern themes include Bootstrap by default. Check before enqueuing it.
If your site includes videos, please do not upload them to your media library and embed them directly. Instead, check with ITS about accessing the NAD Vimeo account. Vimeo provides easy configuration for privacy/security, easy embedding and easy downloads. (It’s okay to use YouTube, as long as you aren’t counting on people being able to download your videos. As of this writing, YouTube’s proprietary process does not make that possible without hacking.)
wiki.nad.cloud
