Some unsolicited security advice for WordPress (and web security in general), since I was just emailed a login and password š¬
- Never email/Slack/text a password.
- Don’t share accounts. Set up each user with their own account.
- If you do need to share credentials for some reason, use a service like onetimesecret.com
- Use strong passwords.
- Use a plugin to *force* strong passwords. (It’s hard for people to break bas password habits.)
- Add a plugin to limit login attempts.
- Don’t use ‘admin’ as username.
- Don’t have a username that’s the same as the site URL/business name.
- Keep everything (plugins) backed up and updated.
There used to be a lot more* that I’d do to harden a WordPress site, but those items will get you a long way.
*Move the WP installation to a sub-directory, neuter the admin account, IP whitelisting, change the login URL, etc. Maybe for a future post…