Ah, sure, there is also the free WordPress Plugin here: https://wordpress.org/plugins/sucuri-scanner/
I actually have a different security checklist, which includes Sucuri – http://getbutterfly.com/wordpress-security-checklist/ – here.
Bring it on!
Can’t wait to write my first comment on the new forums.
Thanks for the checklist. Will follow them for sure. Also check out this checklist http://capsicummediaworks.com/killer-wordpress-checklist/
I know that list, it goes beyond management. I’m only interested in management. No social profiles, no ALT tags. Thanks.
I totally agree. Maybe they’ll focus on reviews after they’re done with the new forums and the responsive sections.
Until then, I’m moving the best reviews on my product page on my website.
You’re right, the system is flawed. I was just suggesting item improvement to reduce negative reviews. We’ve all been there. Remember a year ago when reviews were anonymous and there was no text, only stars? That was even worse.
I want it!
Any roadmap or publishing date? Being able to reply to emails from inside my WordPress site would be awesome and 200% more productive.
What else would you add to this list? What are your personal recommendations? Feedback?
In no particular order, here’s what you must do for your WordPress site:
1. Make a backup strategy This is a very important step which should be taken seriously since the first moment of the inception of your site. You have four options and I will list them in my preferred order:
1.1. Use a WordPress service (I use VaultPress) 1.2. Use a WordPress plugin (Backup Buddy, Snapshot, UpdraftPlus, BackWPup or Smart Backup) 1.3. Use a CRON job (note that file backup using a PHP script may bring down your server – check with your host before doing anything) 1.4. Use a server module (cPanel/Plesk – it is an option, although it would take a lot of time to do it manually and regularly)
Note that backups should be kept in a safe place and I recommend storing them in the cloud. The most popular services are Dropbox, Google Drive, Amazon and OneDrive. Many of the backup plugins out there have integrated support for these cloud services.
Decide for a frequency that suits both your site and your host. Generate daily backups, weekly backups or monthly backups depending on your site’s activity.
2. Implement Google Analytics That’s all you need for the start. With a bit of tweaking, you can get everything you need, from users’ age and interests to the site flow. You don’t need user analysis, heatmaps, social interactions and so on. Not while your site is still young.
3. Implement Google Webmaster Tools You need Google verification and validation and you’re all set. I could add you also need a Google+ page or business listing, but that enters the optimization area and it’s part of a future article.
4. Use a CDN (I use Cloudflare, but there are other such as Amazon, MaxCDN, Edgecast, Akamai or Incapsula). Did you here that Sucuri is building a comprehensive alternative to Cloudflare?
5. Automated/manual updates routine I used to use WPRemote (and I still use it for some clients), but I have since moved to Jetpack and it’s management feature. I use Jetpack anyway, so why use a diferrent plugin? There are more services that provide the same services such as ManageWP, InfiniteWP or WPDASH.
If you’re not familiar with WordPress, you should allow all automated core updates. There are three types of core updates – major, minor and security. Security updates are, most of the time, automated. Minor updates are automated and allowed by default. Major updates are manual only.
If you’re familiar with how WordPress works, you should update it manually and wait for a couple of days after each update announcement. Sometimes, another update will follow pretty soon to patch things up or to revert certain changes.
6. Uptime monitor If you doubt your host or if you don’t visit your site on a daily basis, then you might need to know when the server is down. Because when your site is down, you lose visibility, credibility and maybe money. I recommend Jetpack Monitor or Pingdom.
7. Enable server/access logs You never know when they might come in handy. Just enable them. You’ll thank me later. In a year. Or two.
8. Update server to latest PHP version Check with your host and make sure you update to the latest version of PHP. It’s not usually possible, but try to ask for the highest version possible. Most hosts are usually two minor versions behind (in my case 5.5, but I have four clients using an educational hosting network using 5.3).
9. Secure your site 9.1. Get an SSL certificate – Cloudflare has a free shared (flexible) one and it does the job. You should get a full one as soon as possible, though. 9.2. Secure your site using the Sucuri Security plugin, Wordfence Security plugin and the GOTMLS plugin. https://wordpress.org/plugins/plugin-vulnerabilities/ 9.3. Get notified when plugin vulnerabilities are found.
There’s more about security, but having an SSL certificate and the plugins above in place, you should be safe.