I’m no security expert, which is why I stay on the safe side and don’t collect sensitive info in my systems but here’s some easy precautions you can take to protect your data. Of course, there is no substitute for regular backups and as I mentioned earlier, WP Engine does these automatically every day. They will also inform you of security vulnerabilities and update your plugins for you if there is a significant threat. Once an employee is terminated, I delete their user account or reset the password if I still need to get into their account.
Also see the setup section for info on SSL.
If you have any suggestions on improving security, I’d love to hear them.
Restricting Access to your Admin
In some cases, I’ve found locking the admin is an effective way to keep regular people, not knowledgeable hackers, out of my site. You can use the methods outlined in this post; however, I have had sites that were hacked into that had the following precautions in place so don’t get a false sense of security.
Search Engine Visibility
If you will not be using this as your main site, you can hide you site from search engines (to an extent) by going to the SETTINGS section in WordPress > READING > SEARCH ENGINE VISIBILITY section and clicking on the ‘Discourage search engines from indexing this site’ checkbox
This plugin scared me because it hadn’t been updated in a while and it had this panic-inducing-there-is-no-undo-if-you-screw-this-up message but there was nothing else like it so I went ahead and installed. Boom, low and behold, it did it’s job and provides an extra level of security and it hasn’t screwed anything up. The only drawback, is you won’t be able to search your database as easily using the WordPress search bar, but that’s nothing that a little Ctrl+F can’t fix.
I know you think no one wants to hack into your little old site, but if you’ve been using WordPress long enough, it will happen to you. Someone could be trying to hack in right now and you wouldn’t even know about it, unless you install the Sucuri Security plugin, then you will know about it and you’ll get a lot of other cool features too. I personally preferred the WordFence plugin because it will actively block IP addresses after they try attacking, but WP Engine doesn’t allow this plugin on their installs. Womp womp. Sucuri is still good though, but if I recall correctly, you need to pay to block IPs and stuff.
This is outside of WordPress, but I think it is worth mentioning because it can improve the password hygiene of your whole organization. People usually loathe my passwords. I’ve gone up to 100 characters with symbols. With LastPass, I can distribute a complex password without sending it through email, hide it from the user, and because it is easy for them to enter it, they’re less likely to change it to something basic.