AI Checklist Generator

From the makers of Manifestly Checklists

Home > checklist for new wordpess websites for security. and including including external integrations

checklist for new wordpess websites for security. and including including external integrations

1. General Security Measures

  • Create a new username that is unique and not easily guessable
  • Choose a strong password with a combination of uppercase and lowercase letters, numbers, and special characters
  • Regularly check for updates in the WordPress dashboard
  • Update themes and plugins from trusted sources only
  • Delete unused themes and plugins from the WordPress dashboard
  • Deactivate any unused themes and plugins to reduce potential vulnerabilities
  • Create or modify the .htaccess file in the wp-admin directory
  • Add rules to restrict access based on IP addresses or password protection
  • Install and activate a security plugin like Limit Login Attempts Reloaded
  • Configure the plugin to limit the number of login attempts and enforce strong passwords
  • Install and activate a two-factor authentication plugin like Two-Factor
  • Configure the plugin to enable two-factor authentication for admin accounts
  • Set up a backup schedule using a backup plugin like UpdraftPlus
  • Configure the plugin to automatically backup the website files and database regularly

2. User Access and Roles

  • Go to the WordPress dashboard
  • Click on 'Users' in the left menu
  • Click on 'Add New'
  • Fill in the required fields with the user's details
  • Choose a strong password
  • Assign the appropriate role for the user
  • Click on 'Add New User'
  • Go to the WordPress dashboard
  • Click on 'Users' in the left menu
  • Select the user you want to assign a role to
  • Scroll down to the 'Role' section
  • Choose the appropriate role for the user
  • Click on 'Update User'
  • Go to the WordPress dashboard
  • Click on 'Users' in the left menu
  • Select the user you want to remove
  • Scroll down to the bottom of the user's profile
  • Click on 'Delete User'
  • Confirm the deletion when prompted
  • Go to the WordPress dashboard
  • Click on 'Users' in the left menu
  • Select the user you want to review/update permissions
  • Scroll down to the 'Role' section
  • Choose the appropriate role for the user
  • Click on 'Update User'

3. WordPress Core Security

  • Choose a reputable hosting provider with strong security measures in place.
  • Ensure the hosting environment is regularly updated and patched for security vulnerabilities.
  • Regularly update WordPress to the latest stable version to benefit from security patches and bug fixes.
  • Enable automatic updates for WordPress core to ensure timely installation of security updates.
  • Add the following line of code to the wp-config.php file: define('DISALLOW_FILE_EDIT', true);
  • This prevents unauthorized access to the theme and plugin editor in the WordPress dashboard.
  • Set the file permissions of wp-config.php to 400 or 440 to restrict access to this sensitive file.
  • This prevents unauthorized users from accessing database credentials and other sensitive information.
  • Generate unique and secure SALT keys using the online WordPress Salt Keys Generator.
  • Replace the existing SALT keys in wp-config.php with the newly generated keys.
  • Add the following line of code to the wp-config.php file: define('WP_AUTO_UPDATE_CORE', true);
  • This enables automatic updates for WordPress core, including security updates, without manual intervention.

4. Theme and Plugin Security

  • Research and choose themes and plugins from trusted sources
  • Read reviews and ratings to ensure credibility
  • Check for updates regularly
  • Update themes and plugins as soon as new versions are available
  • Remove any themes and plugins that are no longer needed
  • Deactivate unused themes and plugins to reduce potential vulnerabilities
  • Download themes and plugins only from official repositories or trusted sources
  • Avoid downloading from unreliable or unknown websites
  • Read reviews and ratings to assess the quality and security of themes and plugins
  • Consider the experiences of other users before installing
  • Install and activate security plugins that offer malware scanning functionality
  • Run regular scans on themes and plugins to detect and remove any malware

5. Secure External Integrations

  • Research and select integrations from reputable sources
  • Read reviews and check for any reported security issues
  • Ensure the integrations have a good track record of updates and support
  • Set a schedule for reviewing and rotating API keys and access tokens
  • Use a secure password manager to store and generate strong keys
  • Update keys immediately if they are compromised or if a service provider requests it
  • Follow the official documentation and guidelines provided by the service provider
  • Use secure and encrypted communication protocols
  • Implement appropriate authentication and authorization mechanisms
  • Obtain and install an SSL/TLS certificate for your website
  • Configure your web server to use HTTPS for external integration endpoints
  • Ensure all requests and responses are encrypted using SSL/TLS
  • Enable logging for external integration activities
  • Regularly review logs for any unusual or suspicious activities
  • Implement alerts or notifications for critical events
  • Configure the firewall to only allow incoming connections from specific IP addresses
  • Create a whitelist of approved IP addresses and block all others
  • Regularly review and update the whitelist as necessary
  • Enable two-factor authentication for all external integration accounts
  • Choose a reliable two-factor authentication method (e.g. SMS, authenticator app)
  • Ensure all users are aware of and follow the two-factor authentication process
  • Research and select a reputable third-party security solution
  • Integrate the chosen solution with your WordPress website
  • Configure the security solution to monitor and detect any suspicious activities
  • Choose a suitable alert notification system (e.g. email, SMS)
  • Configure the security solution to send alerts when unauthorized access attempts occur
  • Assign responsible personnel to monitor and respond to the alerts

6. SSL/TLS and HTTPS

  • Purchase an SSL/TLS certificate from a trusted provider
  • Follow the provider's instructions to generate a CSR (Certificate Signing Request)
  • Submit the CSR to the provider and complete the verification process
  • Once approved, download the SSL/TLS certificate from the provider
  • Update the website's configuration to enforce HTTPS
  • Update the website's .htaccess file to redirect HTTP requests to HTTPS
  • Verify that all website pages and assets are accessible through HTTPS
  • Check for any mixed content warnings or errors
  • Update all internal links within the website to use the HTTPS protocol
  • Review the website's database and content management system for any HTTP references and update them to HTTPS
  • Perform a thorough testing to ensure all internal links are correctly redirected to HTTPS
  • Enable HTTP Strict Transport Security (HSTS) header to enforce HTTPS usage
  • Set X-Frame-Options header to prevent clickjacking attacks
  • Implement Content Security Policy (CSP) to mitigate cross-site scripting attacks
  • Enable X-XSS-Protection header to enable browser XSS protection

7. Security Plugins and Monitoring

  • Go to the WordPress dashboard
  • Click on 'Plugins' in the left-hand menu
  • Click on 'Add New'
  • Search for the desired security plugin
  • Click on 'Install Now' next to the plugin
  • Click on 'Activate' to activate the plugin
  • Go to the WordPress dashboard
  • Click on 'Plugins' in the left-hand menu
  • Find and click on the installed security plugin
  • Navigate to the settings page of the plugin
  • Configure the settings according to recommended guidelines
  • Save the changes made
  • Go to the WordPress dashboard
  • Click on 'Plugins' in the left-hand menu
  • Find and click on the installed security plugin
  • Navigate to the monitoring or notifications section
  • Enable real-time monitoring
  • Configure notification preferences
  • Save the changes made
  • Go to the WordPress dashboard
  • Click on 'Plugins' in the left-hand menu
  • Find and click on the installed security plugin
  • Navigate to the logs or reports section
  • Review the security logs and reports regularly
  • Take necessary actions based on the findings
  • Go to the WordPress dashboard
  • Click on 'Plugins' in the left-hand menu
  • Find and click on the installed security plugin
  • Navigate to the scanning or vulnerability assessment section
  • Initiate a security scan or vulnerability assessment
  • Review the results and take necessary actions

8. Backup and Disaster Recovery

  • Install a backup plugin such as UpdraftPlus or BackupBuddy
  • Configure the backup plugin to schedule regular backups of the website files and database
  • Ensure that the backups are being saved to a secure location
  • Set up notifications to receive alerts if backups fail
  • Choose a reputable cloud storage provider like Amazon S3 or Google Drive
  • Configure the backup plugin to automatically upload backups to the chosen cloud storage
  • Encrypt backups before uploading them to the cloud storage
  • Regularly check the security settings of the cloud storage to ensure privacy
  • Select a test environment where you can safely restore the website and database backups
  • Follow the instructions provided by the backup plugin to restore the backups in the test environment
  • Verify that all website files and the database are properly restored
  • Perform functional and security testing on the restored website to ensure everything is working correctly
  • Identify potential risks and threats that could lead to a disaster
  • Create a step-by-step plan outlining the actions to be taken in case of a disaster
  • Include contact information for relevant stakeholders and service providers in the plan
  • Regularly review and update the disaster recovery plan as needed
  • Configure the backup plugin to automatically update backups at regular intervals
  • Set up notifications to receive alerts if backups are not being updated
  • Schedule regular integrity checks of the backups to ensure they are not corrupted
  • Address any issues identified during the integrity checks promptly
  • Regularly check the status of backup jobs to ensure they are running successfully
  • Periodically test the integrity of backups by restoring them to a test environment
  • Choose a reputable and secure offsite backup provider
  • Ensure that the offsite backup location has appropriate security measures in place
  • Select a backup plugin that supports keeping multiple versions of backups
  • Enable versioning in the backup plugin settings
  • Enable encryption in the backup plugin settings
  • Choose a strong encryption algorithm and key
  • Periodically review and update the backup policies to reflect any changes in requirements
  • Ensure that the backup policies align with the desired recovery objectives
  • Identify other critical services used in the website infrastructure
  • Research and implement suitable backup solutions for those services
Download CSV Download JSON Download Markdown Use in Manifestly