Best Practices for Passwords
Password security is not something specific to WordPress but lets talk about some of the common best practices for computer password security.
Use secure password! Don’t use “Password123” or even “Chr!st0ph3r” as those are easy for dictionary hacks (where the hacker uses a program to guess every word in your language). Use something very complex like 8.;>48%@r4Va. This will be very hard for hackers to guess.
Keeping track of your passwords is difficult already and with gibberish like that, it becomes impossible. Sticky notes and word documents are not acceptible management solutions. I highly recommend using a tool like 1Password or LastPass that will securely keep track of your password and even help you generate secure ones.
No matter how secure your site and passwords are, if your host is not secure, you are vulnerable. First and foremost, make sure you are using a reputable hosting solution. I personally use HostGator and WP Engine for my sites and my clients.
Shared Hosting is a security risk. It is not a no-no, but you should be aware of the risks. If you are sitting on a server with another WordPress installation and making sure you are diligent about security best practices, you could still be at risk. A security vulnerability on the other site (which you have no control over) could cause an infection or vulnerability on your site. Be cautious and keep backups!
Your hosting provider probably offers some sort of back up of your server and site. Except in a few circumstances this is not adequate. You should look at getting an additional backup solution. Options include:
- Backup to Dropbox (Free)
- Backup to Google Drive (Free)
- Backup Buddy (Paid)
- ManageWP (Paid and Free subscriptions)
Your cPanel or Plesk dashboard and FTP (or SFTP) are the gateways to your site. Lock them down! You’re going for Fort Knox here. They aren’t things you are probably accessing regularly, so make them secure and hard to access.
Domain theft. It is possible for someone to hack into your domain registar and transfer your domain away. Secure this account with a strong password and by using privacy protection. Also read reviews about your domain registar, I like NameCheap.com and Hover.com. There have been several stories of registrars that will not help customers recover domains once they ar transfered away.