After having 3 separate clients with security issues in one week, we decided it was time to create a quick checklist to help new (and existing) web editors practice safe web editing.
Every single item on this list was something we've had to help clients recover from. If you don't have time to read all - just please skim the headlines, save yourself the strife down the road:
1. Don't share your login (really don't)
I know it's easy, someone needs to make a 4 min update, "just use my login" you say.
Don't do it! It really doesn't take long to create a user. Every individual person who's working on your website (or ON your website) should have their own personal login. (No shared email accounts either). Just create a login for each employee, partner, vendor, etc that has to login to the website / Wordpress backend.
This is crucial so that you can remove them if ever needed. Secondarily, if you kept logging activated, (as we do w/ our clients just in case), we can track to see who may have inadvertently blown away the entire home page (not common, but accidental (or intentional) issues do arise and it's helpful to troubleshoot how they happen)
2. Set a regular process to clean out unused user accounts
Regularly review and clean out any unused users in all your systems: This may include Wordpress / CMS, Hosting (eg WPEngine), DNS control panel (Godaddy, etc), DNS Host (cloudflare), Google Accounts (G Suite, Analytics, search console, google my business, etc etc)
3. Change your password
If you haven't changed your password recently, it's time to change it. For what system? (All of them. I know it's annoying but it's important. (See my note on 1password in #6 below to simplify remembering passwords)).
4. As soon as someone leaves the organization, remove all their logins
I can't stress this enough. We had a client who's angry ex-employee went through the entire site of thousands of products and wreaked havoc, removing products, changing products, changing prices. (1000s of updates in hours. You have to hand it to the ex-employee, very creative work I will say. But not the best time to fix this).
5. Upgrade Plugins, Wordpress, and PHP Regularly
Keep your WordPress plugins, core, PHP, MySQL, and any server-side systems (cpanel, plesk, etc) up to date. If they go out of date, you can (and very often we've seen will) have issues. The site will most likely, eventually get hacked. The good news is upgrades are more automated these days (except Woocommerce and custom builds, those still need code-level finessing).
6. Keep a clean website. Remove anything you're not using (Plugins, images, pdfs, etc etc)
Regularly remove and clean out unused plugins, posts, images, pdfs, themes, and anything else I'm missing. Obviously this goes without saying: Don't remove anything that may be still in use (ask whoever added it if they're still using it).
Trust me, it always saves time and energy later to take the time now, and find out if that plugin is still in use, and if not - remove it! Rather than let it sit on the server, using up scheduled task, processing, database space, etc.
The same goes for images / videos/ audio files, etc - if they're not in use, remove them. Otherwise it is publicly accessible (every single thing in the media library is made to be publicly accessible and searchable on Google). For all you know, people could be hot-linking to them on random sites, using up your server processing power because you have the BEST photo of an orangutan that Google has decided to serve on page one. Rule of thumb: Stay as clean as possible on that server.
8. Plugins: Don't install ANYTHING unless you absolutely need it - Most plugins add load to every single page request
As a rule of thumb - don't install any plugins unless you absolutely have to.
The reason(s) we say this:
Most plugins (I would estimate 85% or more) add load to every single page request - In other words - they slow down the site for all users, and slower sites mean less happy users, mean less effective websites, mean less effective you, mean less effective your organization.
Second - If you install a plugin, even if you deactivate and remove it, there's a very good chance it's installed tables in the database, and inserted data into your database that can not be removed without manually going in and cleaning out the database. So in short - it can very difficult to really fully delete plugins.
So if you have to install a plugin:
Ask us if you want to - we can say whether it's worthwhile, necessary or not
Find a way to accomplish your goal using the tools you have on the site already - there's a very good chance you can do what you need to do (barring you have a completely custom business process that needs to be created, which does happen but for most clients, is not necessary (or financially feasible).
If you must install one - Make absolutely certain the plugin is VERY highly rated, regularly updated by the plugin author, and has a great (vibrant and active) support community behind it.
9. Don't use the same password for multiple systems
I know, I know, "How can I manage all these logins / passwords??"
See I think the man is real lol, so I try to distribute my logins across systems. I use 1Password to manage my passwords (which saves hours every week), but use Google for some systems, facebook for others, apple for others. So if one system gets compromised, I don't lose everything.
Second plug, seriously save your time - Get 1password, this is one of my single biggest productivity hacks, simply hit a hot key and you're logged into whatever website / app / system you need to access (desktop, phone, ipad, etc all have 1password). This makes having multiple complex passwords much easier to manage. (Which technically if you use 1password, there is nothing to 'manage' or remember)
10. Pay your domain, hosting, and plugin bills
Sounds like an obvious one, but I can't tell you how many times clients websites go down out of the blue, (always a fun email to get and troubleshoot) - all because they haven't been receiving the bills or paying bills. Make sure you're receiving hosting recurring billing (annual / monthly) and domain name registration billing (annual), and that you're paying them. If they lapse - you can literally lose your domain and have to pay thousands to get it back. (Don't worry it happens to big companies all the time too)
Also pay your plugin renewal bills - This is only a security issue in that: if you don't keep plugins upgraded, they can get hacked (or they can allow wordpress to be hacked, thank you Gravity forms), so just keep your plugins paid, licenses up to date, and keep plugins up to date.
11. Use a (Wordpress) host worth it's salt (Or make sure you have security precautions on the server, and daily backups at a minimum)
I think this perhaps goes without saying but if you're not a client of ours - you should consider using a specialized Wordpress host. Otherwise the money you save now, you may want to save for fixing all the issues that will happen later. A good host will handle: Security, daily backups, caching, upgrades, staging environments (for testing upgrades), and tons more. We like wpengine, but we hear flywheel is good, and kinsta.
12. Protecting Personal Data & User Privacy
This is outside of the scope of this post, but I need to at least mention it here. Whenever you collect user data / personal data (eg you have a form on site), you are by law, required to protect that person's information. There are measures you should be taking for proper data collection, data storage, data protection, as well as measures for retrieval, and removal. We will soon have much more on this topic under Privacy & Personal Data.
13. Form, Bot, & Email List Spam Security
If your site is brand new, this might not be an issue, but for long-standing sites, you will most likely have to institute some security policies for your forms. Otherwise you will most likely start to get semi-regular, to hourly, to minute(ly) (is that a word?) form / bot / and email list spam.
The major problems with this is it:
Fills your form / crm website database w/ garbage or even hijacked personal data
It then could greatly hurt your reputation and authority score (reducing the deliverability of your emails)
Annoys the ever living heck out of you, fills your inbox with garbage
It could even slow down your website if you're getting hammered that bad (we've seen it)
Some possible fixes:
For form spam - Look into requiring fields for submission (front-end & backend validation), honeypots, and if all else fails Recaptcha (be careful using this as it can annoy users. Try to reduce obstruction, and not block real people from filling out forms where possible, this can really grind people's gears and reduce conversion rate).
For web / comment spam - You may want some DNS level protection or server-level protection (deeper than we'll go in this article, but know there are more options)
For email list spamming - use double opt in, or double confirm, and clean your lists regularly.
14. Make sure you own the rights to post images, content, etc
This only falls under the category of 'security' in that if you neglect to follow this, you will be putting the security of your team at risk by inviting angry copyright owners, fines, and legal action. The quick rule of thumb - if you can't prove if you own something (like a photo someone found on google while searching for the Golden Gate Bridge), then don't post it to the site. Only post images that you own (by purchasing the rights to license), or images that have open or public licensing. Some photographers allow usage, you would just need to read through their licensing agreement.
If our team built your website, then you are good to go, but if you had another designer/developer, you may just want to verify with them that you have license to use all the images.
Ok I'm sure there is more, but these are among the top that we see. I know it's a lot, but don't fret - If you got this far, you are most likely ahead of the curve. If anything else of high priority comes to mind we will add to this list.
And as always if you need anything, feel free to reach out.
Hopefully this helps and saves you time and stress down the road. Happy web editing,