How to securely manage multiple WordPress blogs
25 Apr 2020Let’s say you are in my case: you manage multiple WordPress blogs on multiple servers for yourself, your friends, your family, your company, your customers. How do you keep them from being hacked or infected? How do you securely manage multiple WordPress blogs?
Use a WP Site Manager
First of all, you absolutely need a WP Site Manager application like InfiniteWP or ManageWP. I am a very happy user of InfiniteWP, the free version for at home, and the paid version for at the office. It takes care of WordPress/theme/plugin updates and (manual) backups. It’s also the unique dashboard with easy login to all your WP websites.
Put your Site Manager on a separate [subdomain].[yourdomain.com]
‘. Then install the client plugin on each of your WP blogs and add them to your repository of managed blogs. Add them all, because one forgotten ‘it was just for testing‘ WordPress blog can be the weakest link that allows a hacker to infect all your other blogs on that server.
InfiniteWP Dashboard Interface
Indispensable WP security plugins
InfiniteWP client
This is the first plugin I install on any new WordPress. Makes sure that your list of WordPress blogs in your Site Manager is exhaustive. Allows you to update everything remotely.
Wordfence Security
This is the second plugin I install. Pimps up your security, even in the free version. Will detect changes to the WordPress files, new files in places where there shouldn’t be any, brute force attacks on your wp-admin login, … Popularity: 3 million installations.
Jetpack by WordPress
This one really locks you into the WordPress eco-system. It has a lot of functionalties, including brute-force attack protection, but also auto-update of plugins, making your life even easier. Popularity: 5 million installations
WP Life Pro Tips
Force the server to use HTTPS
This goes without saying: it is 2020, there is no excuse why your website would still be on http:// instead of https://. Why? Because you never give your password on a http;// site.
Any hosting service that’s any decent will allow you to active a Let’sEncrypt free certificate on your domain. If they don’t you can add https:.. through a (free) service like Cloudflare.
Your http://[yourdomain.com]
should always forward to the https:// version. You can this through the toolstud,io redirection check.
Use a password manager
Use a browser-plugin password manager to keep track of your long, complicated and always unique passwords for each site. There is LastPass, 1Password, Dashlane, Zoho Vault, I am a long-time LastPass user, I use it on my iPhone, Macbook and various Windows/Linux machines, I have all passwords available on all platforms, it’s a life-saver.
Use Wordfence two-factor authentication (2FA)
When you use the Wordfence plugin, you will get warnings when someone has tried too many times to guess your password. And you will realize just how often that is. Your blogs are constantly under attack. If you want to make it harder for an attacker to log in, enable Wordfence’s 2-factor authentication. You will need your phone every time you log in as an administrator.
Use visitor password protection for ‘intranet’ websites
If you create a WordPress site that is only meant to be read/used by a select number of people (e.g. your company, your club), add a password plugin like Password Protected, give all the intended users that password and maybe whitelist your office’s IP address. Another layer of security!
Use Cloudflare for high-traffic sites
Not for every site, but will help a lot with with content-delivery and also with security: there’s a web firewall, and your origin server is invisible to the Internet.
Use a dedicated WordPress admin email address
Your WordPress blog will send you messages regularly (like when a user was added). Your Site Manager will send you message regularly (like when you really need to update some sites). Your integrity protection (e.g. Wordfence) will send you regular emails (like when an attacker is blocked automatically). You need a place to receive all these messages, but you don’t want them mixed into your day-to-day communication,
Set up a forwarding email address for those messages (e.g. wordpress@[yourdomain.com]
) and let all those emails go there, Then set up a rule to automatically move the emails to a folder ‘WordPress’. If in the future you would want those emails to go somewhere else, it’s one easy redirection change.