WordPress Security Best Practices Flashcards
(25 cards)
What is WordPress security?
WordPress security involves protecting a site from threats like hacks, malware, and data breaches.
Security ensures site integrity, user trust, and data protection. Freelancers secure client sites to prevent downtime or data loss, while enterprise architects implement robust measures for high-stakes, large-scale systems.
Why is WordPress security important?
Security prevents hacks, protects user data, and maintains site reputation and SEO.
WordPress powers over 40% of websites, making it a common target for attacks. Freelancers secure sites for client reliability, while enterprise architects ensure compliance with regulations like GDPR in large systems.
What is a strong password policy in WordPress?
Require complex passwords with letters, numbers, and symbols for all users.
Strong passwords reduce brute-force attack risks. Freelancers enforce password policies via plugins like iThemes Security, while enterprise architects implement enterprise-grade authentication standards.
What is two-factor authentication (2FA) in WordPress?
2FA adds a second verification step, like a code sent to a phone, for logins.
Plugins like Two Factor or Wordfence enable 2FA. Freelancers add it for client security, while enterprise architects use 2FA for secure access in multi-user environments.
What is the role of user roles in WordPress security?
User roles limit permissions to prevent unauthorized access to site functions.
Roles like Administrator, Editor, or Subscriber have defined capabilities. Freelancers assign minimal roles to client users, while enterprise architects enforce strict role-based access control (RBAC).
How do you secure the WordPress login page?
Use plugins to limit login attempts, change the login URL, or enable 2FA.
Plugins like Limit Login Attempts or WPS Hide Login reduce brute-force risks. Freelancers secure login pages for clients, while enterprise architects implement custom login URLs for added protection.
What is wp-config.php security?
Secure wp-config.php by setting proper file permissions and moving it above the root directory.
This file contains sensitive data like database credentials. Freelancers set permissions to 600, while enterprise architects relocate it to prevent unauthorized access in large systems.
What is the .htaccess file’s role in WordPress security?
The .htaccess file restricts access to sensitive files and enhances security.
Rules like denying access to wp-config.php (<Files> Order Deny,Allow Deny from all </Files>) protect files. Freelancers configure it for clients, while enterprise architects optimize it for secure servers.
What is a WordPress security plugin?
A security plugin enhances protection with features like firewalls and malware scanning.
Plugins like Wordfence or iThemes Security offer comprehensive security. Freelancers use them for client sites, while enterprise architects integrate them with enterprise security frameworks.
What is a Web Application Firewall (WAF)?
A WAF filters malicious traffic before it reaches a WordPress site.
Services like Cloudflare or Sucuri provide WAFs to block attacks like SQL injection. Freelancers enable WAFs for clients, while enterprise architects use them for robust perimeter security.
What is a nonce in WordPress?
A nonce is a one-time token that validates the authenticity of requests.
Created with wp_nonce_field(), nonces prevent CSRF attacks. Freelancers use them in plugins and forms, while enterprise architects enforce them for secure API and form submissions.
How do you use wp_nonce_field()?
wp_nonce_field() adds a nonce to forms for secure submissions.
For example, wp_nonce_field(‘my_action’, ‘my_nonce’) secures a form. Freelancers implement it for client plugins, while enterprise architects use it for secure data processing.
What is check_admin_referer()?
check_admin_referer() verifies a nonce and referer for secure admin actions.
For example, check_admin_referer(‘my_action’, ‘my_nonce’) validates requests. Freelancers use it in admin forms, while enterprise architects ensure secure backend operations.
What is data sanitization in WordPress?
Data sanitization cleans user input to prevent malicious code injection.
Functions like sanitize_text_field() remove harmful data. Freelancers sanitize inputs in plugins, while enterprise architects enforce sanitization for secure data handling.
What is data escaping in WordPress?
Data escaping ensures safe output by preventing XSS attacks.
Functions like esc_html() or esc_attr() secure output in templates. Freelancers use escaping in themes/plugins, while enterprise architects enforce it for secure rendering.
What is HTTPS in WordPress?
HTTPS encrypts data between the server and user, securing sensitive information.
Enabled via SSL certificates, it’s set in wp-config.php (define(‘FORCE_SSL_ADMIN’, true);). Freelancers install SSL for clients, while enterprise architects ensure site-wide HTTPS for compliance.
What is a WordPress database backup?
A database backup saves site data to restore in case of hacks or failures.
Plugins like UpdraftPlus automate backups. Freelancers manage backups for clients, while enterprise architects integrate them into disaster recovery plans.
How do you secure the WordPress database?
Use a unique table prefix, strong credentials, and regular backups.
Change the default wp_ prefix in wp-config.php and secure credentials. Freelancers protect client databases, while enterprise architects ensure database security for large systems.
What is the Wordfence plugin?
Wordfence provides firewall, malware scanning, and login security for WordPress.
It blocks malicious traffic and scans for vulnerabilities. Freelancers use it for client protection, while enterprise architects integrate it with enterprise security tools.
What is malware scanning in WordPress?
Malware scanning detects and removes malicious code from WordPress files.
Plugins like Sucuri or Wordfence scan files and databases. Freelancers offer scanning as a service, while enterprise architects automate it for continuous monitoring.
What is file permission in WordPress?
File permissions control access to WordPress files and folders.
Set folders to 755 and files to 644 via FTP or server settings. Freelancers configure permissions for clients, while enterprise architects enforce strict permissions for security.
What is the role of security headers?
Security headers protect against attacks like XSS or clickjacking.
Headers like Content-Security-Policy are set in .htaccess or via plugins. Freelancers add them for client sites, while enterprise architects implement them for robust protection.
What is XML-RPC in WordPress?
XML-RPC is a protocol for remote WordPress access, often disabled for security.
It enables features like pingbacks but is a target for attacks. Freelancers disable it via plugins, while enterprise architects block it to reduce attack surfaces.
How do you disable XML-RPC in WordPress?
Add add_filter(‘xmlrpc_enabled’, ‘__return_false’) to functions.php or use a plugin.
Disabling XML-RPC prevents brute-force attacks via xmlrpc.php. Freelancers secure client sites, while enterprise architects ensure it’s disabled in high-security environments.
