One of the most vulnerable aspects of WordPress security is actually staff – the people that know and use the logins required to run your website. No WordPress plugin or extension can create the policies you need to maintain security while still allowing your staff to do their jobs. It’s an additional service we offer to reduce the human risk factor as much as possible for our clients.
We begin by making sure your WordPress site is setup to not use the default login page for WordPress. And we setup WordPress to limit the number of login attempts. This stops a large number of bots and scripts from attempting brute force attacks on your site.
We then make sure your team has strong user names and passwords. We strongly encourage our clients to adopt password storage and sharing programs to further control the disclosure and sharing of passwords internally. Admins are required to use two-factor authentication and we work with our clients to minimize the number of users with Admin access to as few as possible. We require that password be changed once every quarter and we configure WordPress to automatically log out idle users within a short time frame of in-activity. In the event that there is an issue related to a given user, we do keep logs that allow us to review usage and access history. All of this helps reduce the chance that your staff’s use of your WordPress site will pose a security risk.
Lastly, we take extra measures to make sure that our own access is not a security risk to your business by disabling traditional FTP access and using only SFTP.
Book a Security and Performance Audit and learn how well your WordPress website complies with industry standards.