We will explain 7 important WordPress security operation policies that the production company won’t tell you about, and that you must follow after delivery.

1 Increase the strength of passwords for users on the production site test site

Around 20% of WordPress hacks are caused by weak passwords for administrator privileges.
Make sure that the passwords for both the production and test sites are a random string of at least 12 characters and alphanumeric symbols, and reset them if they are not.

In one case where we were asked to remove malware, the administrator password for the test site was the same as the ID for the convenience of development.
In the case of this site, the administrator privileges of the test site were first taken by hackers through a brute force attack, and then a back door was opened and the production site was also tampered with to add unauthorized users, resulting in the spread of malware damage to the entire server.

2 Do not leave test sites unattended

Malware today can spread to multiple sites on a server. Therefore, if a test site or any other development data is left unattended on a server, the vulnerability of that site can be exploited by hackers, and the entire server can be tampered with.

We recommend that you do not leave abandoned sites that have not been updated for a long period of time (test sites are often such cases) on the server.

3 Regular Updates

Some production companies will tell you not to update your site to keep it stable, but this is a huge security risk.
This is a huge security risk because the most common reason (60%) for WordPress to be hacked is to exploit vulnerabilities in old plugins or WordPress itself.

In some cases, the production companies have disabled automatic updates to prevent updates from being made.

The longer this happens, the more likely it is that vulnerabilities will be discovered and the more likely it is that hackers will use WordPress to infect your site with malware.

Even if your production company tells you not to update your site, we recommend that you follow the following operational policies.

Do not stop the automatic security update of WordPress itself.

Update the test site once every few months to make sure it is up-to-date, and keep the production site up-to-date with the latest plug-ins and WordPress itself.

If the above is not possible, it may be necessary to pinpoint vulnerabilities on a regular basis and take action to address them.

(We also recommend that you update your entire site every year or two to ensure that it is up-to-date.)

4 Neglecting deactivated plug-ins

During the production process, the use of various plug-ins may be considered by the production company, and then deactivated, but unused plug-ins may be left unattended.
Even if a plugin is deactivated, the vulnerability of the WordPress plugin can be exploited by accessing the program directly.

We recommend that you ask your production company why some plug-ins have been deactivated and remove them from the server if they are no longer needed.

5 Security when multiple sites are on the server

If you have a contract to use the production company’s server as is, and if there is an abandoned site with weak security (multiple sites hosted) on the server managed by the production company, your site may be subject to malware damage via the other site even if there is no security problem with the company’s site. If you use the production company’s server as it is, you may be affected by malware.
We recommend that you check this point when using the production company’s server as it is.

If possible, it is safer to have only your site hosted on a separate server account.

6 Security Plug-ins

Since production companies basically specialize in production, they often do not have security plug-ins, or even if they do, they often take one-sided security measures such as increasing the security of only the login to the administration screen.

The security plug-ins do not only enhance the login function.
Other important security features include

Improved login screen security
Protection of various important WordPress files
XMLRPC security measures
Malware scanning
Prevent WordPress versions from being compromised
Preventing vulnerabilities from being scanned.
IP-related security features such as IP blocking of hackers
Vulnerability scanning
Anti-spam measures

We recommend that you use a security plug-in with such comprehensive security features.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

All-In-One Security (AIOS) – Security and Firewall

Wordfence Security – Firewall, Malware Scan, and Login Security

7 Check the scope of coverage of the maintenance contract

If you have a site maintenance agreement with a production company, we recommend that you confirm the existence and content of any security-related clauses.
If a site becomes infected with malware, there may be a dispute over who is responsible.

However, the production company may not have much knowledge of security-related issues, and since WordPress is basically the responsibility of the company operating the site, it is often very difficult or impossible for the production company to be held strictly responsible for malware infections.

Therefore, in the event of a malware infection, it may be difficult for the production company to take action such as malware removal in the first place.
In such cases, we believe that the first priority is to restore the site by first completing malware removal, etc. as soon as possible with the help of outside specialists or in cooperation and collaboration with the company with which you have a maintenance contract.

Basically, the responsibility for hacking lies with the hacker. However, hackers are scattered all over the world, and since they hack through multiple sites and IPs, it is almost impossible to identify the hacker and pursue criminal responsibility for the hack, given the cost involved.

It is more cost-effective to remove the malware and take measures to prevent re-infection and restore the site as soon as possible than to identify the hacker and pursue him or her.

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.

Related Posts:

  1. Operational design to reduce reinfection rate after WordPress malware removal
    We will explain the operational design to reduce the reinfection rate after WordPress malware removal. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.1. it is not...
  2. Minimum security precautions for WordPress site management
    Here are five minimum security precautions to take when managing a WordPress site. In our experience, this will prevent more than 90% of hacking attempts. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification...
  3. Log-in-related security measures alone are not enough to prevent WordPress hacking
    We understand that many sites have installed various security plug-ins to prevent WordPress hacking, but some plug-ins are specialized for the login screen only. These plug-ins do not provide much protection against WordPress hacking. We will explain why. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part,...
  4. 5 characteristics of sites that are subject to WordPress hacking, hijacking, or defacement.
    At WordPress Doctor, we perform malware removal and security measures on behalf of more than several hundred sites per year. Based on this experience, we would like to share with you the characteristics of sites that have been hacked, hijacked, or defaced. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in...
  5. Malware contamination of the WordPress staging environment should also be noted
    There have been cases where the WordPress staging environment has been contaminated with malware and malware has spread to this site. It is necessary to operate the WordPress staging environment in a security-conscious manner. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI....
  6. What to do if you have multiple WordPress sites on your server and find that they are infected with malware
    If you have multiple WordPress sites on your server and find that they are infected with malware, here is what to do. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using...