There are a number of factors which can help secure your site on WP Engine. We at WP Engine put many processes in place to help ensure your site is secure. However, since the content, plugins, and themes on your site are managed by you, there are some steps you can take which can help ensure your site stays safe and secure.
Steps to Secure Your Site
Below we’ve compiled a list of best practices you can take to help ensure the security of your site:
- Keep WordPress Core updated: When WordPress releases security updates, WP Engine helps ensure your site receives them. However, for larger updates you have the option to “defer” these WordPress Updates in the User Portal. Whenever possible, we recommend not deferring these updates. When WordPress Core updates are released, it’s best practice to test the updates in your staging site. Then, you can make the update on your live site once you have confirmed all works well.
- Keep Plugins and Themes updated: Plugin and theme authors often release security updates. These updates can also help optimize the plugin to work properly with the latest versions of WordPress. It is important to keep up to date on these plugin and theme updates. Outdated software is the number one cause of malware or infection on sites.
- Never login to WordPress on a public computer: By logging into your site from a public computer, your admin credentials may be vulnerable to others who use the same computer, or other users on the network.
- Regularly audit admin users: It’s best practice to periodically audit the users for your wp-admin area and for SFTP (in the User Portal) to ensure only those who still need access are allowed. It’s also a good step to ensure that users on your site are only given the access level they need (author, editor, admin, etc).
If you are seeing unexpected changes on your site, WP Stream is a great plugin for tracking these admin activities. This plugin is ideal if you want more granular tracking of what actions your users are taking,
What if I Think My Site is Infected with Malware?
If you are concerned your website might contain malware, the first thing you should do is check with a site scanner tool. One of the most commonly used tools is Sucuri Sitecheck. You can use this tool to see if they detect any security issues. If the scan is clear, there is no need for you to clean your site of malware. However, you should definitely follow the best practices outlined above to ensure your site stays clean.
If the site scan does detect malware, please follow our Malware Scans and Cleaning guide so we can help ensure your website is cleaned of any malware.