Security Best Practices

Essential Security Layers

Security is most effective when using multiple complementary layers. No single feature provides complete protection.

The Security Pyramid

         [2FA]
      [IP Whitelist]
    [Login Limiting]
     [CAPTCHA]
  [Custom Login URL]
[Strong Passwords]

Each layer adds protection. The more layers, the more secure your site.

Initial Setup Priorities

Phase 1: Immediate (Do Today)

1. Change Login URL

• Impact: Eliminates 90%+ of bot attacks
• Difficulty: Easy
• Time: 2 minutes

Steps:

1. Go to Login Security
2. Set a unique login slug
3. Bookmark the new URL
4. Test in incognito mode

2. Enable CAPTCHA

• Impact: Stops automated login attempts
• Difficulty: Easy
• Time: 10 minutes

Steps:

1. Choose provider (Cloudflare Turnstile or reCAPTCHA v3)
2. Get API keys
3. Configure in Guard Dog
4. Test login

3. Enable Login Attempt Limiting

• Impact: Prevents brute-force attacks
• Difficulty: Easy
• Time: 1 minute

Steps:

1. Enable login limiting
2. Set 5 attempts, 15 minutes lockout
3. Save settings

Phase 2: High Priority (This Week)

4. Enable 2FA for Your Account

• Impact: Protects your admin account
• Difficulty: Medium
• Time: 5 minutes

Steps:

1. Enable 2FA site-wide
2. Set up on your account
3. Save recovery codes securely
4. Test logout/login

5. Configure Activity Logging

• Impact: Visibility into attacks and changes
• Difficulty: Easy
• Time: 3 minutes

Steps:

1. Enable Activity Log
2. Choose events to log
3. Set automatic cleanup (90 days)

6. Review Access Control

• Impact: Prevent known bad actors
• Difficulty: Easy
• Time: 5 minutes

Steps:

1. Blacklist common usernames (admin, administrator, test)
2. Consider IP whitelisting if you have static IP
3. Review regularly

Phase 3: Ongoing (This Month)

7. Enforce 2FA for All Users

• Impact: Comprehensive account protection
• Difficulty: Medium
• Time: 10 minutes + user communication

Steps:

1. Announce to all users
2. Enable 2FA enforcement
3. Set 14-day grace period
4. Provide setup instructions

8. Configure Email Provider (if using email 2FA)

• Impact: Reliable 2FA code delivery
• Difficulty: Medium-Hard
• Time: 30-60 minutes

9. Review and Optimize

• Analyze activity logs for patterns
• Adjust settings based on real usage
• Document your security configuration

Configuration by Site Type

Personal Blog

Focus: Simplicity + Core Protection

Recommended:

• ✅ Custom login URL
• ✅ CAPTCHA (reCAPTCHA v3)
• ✅ Login limiting (5 attempts, 15 min)
• ✅ 2FA for your account (optional)
• ✅ Activity log (security events only)
• ❌ IP whitelist (too restrictive)
• ❌ 2FA enforcement (overkill)

Settings:

Login URL: unique-slug
CAPTCHA: reCAPTCHA v3, threshold 0.5
Max Retries: 5
Lockout Duration: 15 minutes
Activity Log: Security events only

Business Website

Focus: Balance Security + Usability

Recommended:

• ✅ Custom login URL
• ✅ CAPTCHA (Cloudflare Turnstile)
• ✅ Login limiting (4 attempts, 30 min)
• ✅ 2FA for admins (enforced)
• ✅ 2FA for editors (optional)
• ✅ Activity log (all events)
• ✅ Username blacklist (common names)
• ❌ IP whitelist (unless office-only admin access)

Settings:

Login URL: unique-slug
CAPTCHA: Cloudflare Turnstile
Max Retries: 4
Lockout Duration: 30 minutes
2FA: Enabled, enforced for Admins/Editors
Activity Log: All events except updates
Auto-cleanup: 90 days
Username Blacklist: admin,administrator,test,demo

E-commerce Site

Focus: Maximum Security

Recommended:

• ✅ Custom login URL
• ✅ CAPTCHA (Cloudflare Turnstile)
• ✅ Strict login limiting (3 attempts, 60 min)
• ✅ 2FA enforced for all users
• ✅ IP whitelist for admin users
• ✅ Comprehensive activity logging
• ✅ WooCommerce events logging
• ✅ Email provider configured

Settings:

Login URL: complex-unique-slug
CAPTCHA: Cloudflare Turnstile
Max Retries: 3
Lockout Duration: 60 minutes
2FA: Enforced for all users, 7-day grace
Activity Log: All events including WooCommerce
Auto-cleanup: 180 days
IP Whitelist: Admin IPs only
Username Blacklist: extensive list

Development/Staging Site

Focus: Access Control

Recommended:

• ✅ IP whitelist (office/VPN IPs)
• ✅ Site-wide blocking
• ✅ Temporary user access for clients
• ❌ CAPTCHA (not needed with IP whitelist)
• ❌ Login limiting (not needed with IP whitelist)
• ✅ Activity log (for debugging)

Settings:

Site-Wide Blocking: Enabled
IP Whitelist: Office IPs, developer VPN
Custom Login URL: optional
Activity Log: All events for debugging

Membership Site

Focus: User Management + Protection

Recommended:

• ✅ Custom login URL
• ✅ CAPTCHA (to prevent fake registrations)
• ✅ Login limiting (lenient: 7 attempts, 15 min)
• ✅ 2FA optional for users, enforced for staff
• ✅ Activity log (user management events)
• ✅ Email provider for reliable email 2FA

Settings:

Login URL: unique-slug
CAPTCHA: reCAPTCHA v2 (visible, prevents spam signups)
Max Retries: 7 (users forget passwords)
Lockout Duration: 15 minutes
2FA: Optional for members, enforced for staff
Activity Log: User and content events

Password Requirements

Guard Dog works best with strong passwords. Enforce these requirements using WordPress or a plugin:

Minimum Standards

• Length: Minimum 12 characters (16+ recommended)
• Complexity: Mix of uppercase, lowercase, numbers, symbols
• Uniqueness: Different from previous passwords
• Not common: Not in common password lists

Password Manager Recommendation

Encourage all users to use password managers:

• 1Password
• Bitwarden
• LastPass
• Dashlane

Benefits:

• Generate strong unique passwords
• Remember them automatically
• Reduces typos (less lockouts)
• Includes 2FA support

Two-Factor Authentication Best Practices

Rollout Strategy

Don’t surprise users. Communicate clearly:

Week 1: Announcement

Subject: Enhanced Security Coming to [Site Name]

We're implementing two-factor authentication (2FA) to better protect 
your account. Starting [date], all users will be required to enable 2FA.

What you need to do:
1. Download an authenticator app (we recommend Google Authenticator or Microsoft Authenticator)
2. Enable 2FA in your profile before [date]
3. Save your recovery codes in a safe place

Need help? We've prepared a step-by-step guide: [link]

Week 2: Reminders

• Email users who haven’t enabled 2FA
• Provide setup assistance
• Answer questions

Week 3+: Enforcement

• Enable enforcement
• Set 7-day grace period
• Continue support

Recovery Code Management

For administrators:

• Store recovery codes in password manager
• Print and secure in safe/lockbox
• Keep multiple copies in different locations
• Never email recovery codes

For organizations:

• Document 2FA reset procedures
• Designate multiple admins who can reset 2FA
• Maintain emergency access procedures
• Test recovery process regularly

App-Based vs Email-Based 2FA

Use app-based for:

• Administrators (more secure)
• Editors (higher privilege)
• Tech-savvy users
• When email delivery is unreliable

Use email-based for:

• Less technical users
• Contributors/authors (lower privilege)
• Temporary users
• When app setup is barrier to adoption

Best: Offer both options, recommend app-based

Access Control Strategies

Username Blacklist

Always blacklist these:

admin
administrator
root
test
demo
guest
user
support
webmaster
wp-admin

Consider blacklisting:

• Ex-employee usernames
• Generic role names
• Company name variations

IP Whitelisting

Good for:

• Office with static IP
• Remote work via VPN with static IP
• Sites with known, limited admin locations

Process:

1. Get your static IP address
2. Add to IP Whitelist
3. Test from that IP
4. Test from different IP (should be blocked)
5. Verify whitelist is working

⚠️ Caution:

• Dynamic IPs change (don’t whitelist)
• ISP IPs may change periodically
• Travel = can’t access site
• Emergency access plan required

Site-Wide Blocking Use Cases

Perfect for:

• Maintenance mode – Block public, allow your IP
• Pre-launch sites – Client review only
• Staging environments – Development team only
• Emergency lockdown – Under active attack

Process:

1. Add your IP to whitelist first
2. Enable site-wide blocking
3. Test from different network
4. Disable when done

Activity Log Best Practices

What to Log

Always log:

• Security events (all)
• User creation/deletion
• Role changes
• Login success/failure
• 2FA changes
• Plugin/theme changes

Optionally log:

• Post creation/deletion
• WooCommerce critical events
• Settings changes

Don’t log (too verbose):

• Post updates (every edit)
• Profile updates (too frequent)
• Menu updates (during editing)

Review Schedule

Daily: (for high-security sites)

• Check for failed login patterns
• Look for unexpected admin actions
• Verify no unexpected lockouts

Weekly: (for most sites)

• Review failed login attempts
• Check for attack patterns
• Verify expected user activity
• Look for suspicious IP addresses

Monthly:

• Export logs for archival
• Clear old logs (if no auto-cleanup)
• Review access control rules
• Update IP whitelists/blacklists

Quarterly:

• Full security audit using logs
• Identify trends
• Adjust settings based on patterns

Log Retention

Personal blog: 30-60 days

Business site: 90-180 days

E-commerce: 1-2 years (payment card compliance)

Regulated industries: Check your compliance requirements (often 1-7 years)

Temporary User Access Best Practices

Naming Conventions

Use descriptive usernames:

Good:

• client_acme_jan24
• contractor_webdev_project1
• support_ticket_5678

Bad:

• temp1
• john
• test

Expiry Guidelines

Use Case	Recommended Expiry	Login Limit
Client review	7-14 days	Unlimited
Developer project	Project length + 3 days	Unlimited
Support ticket	1-3 days	3-5 logins
One-time access	1 day	1 login
Testing/QA	3-7 days	10-20 logins

Security

Do:

• Use minimum necessary role
• Set appropriate expiry
• Send access link securely
• Delete when no longer needed
• Monitor temporary user activity in logs

Don’t:

• Give Administrator unless absolutely necessary
• Use long expiry periods
• Share access links publicly
• Reuse temporary users

Email Provider Best Practices

Choosing Provider

For most sites: Resend (simple, generous free tier)

For high volume: Amazon SES (most cost-effective)

For enterprise: SendGrid (advanced features, support)

DNS Authentication

Always configure:

• SPF record (sender authentication)
• DKIM record (message authentication)
• DMARC record (policy enforcement)

Benefits:

• Much better deliverability
• Emails don’t go to spam
• Professional appearance
• Required by some email providers

From Address

Best practices:

• Use real domain you own (not gmail.com)
• Use subdomain for transactional: [email protected]
• Descriptive from name: “YourSite Security”
• Never use fake/unowned domains

Monitoring & Maintenance

Weekly Tasks

• [ ] Review Activity Log for anomalies
• [ ] Check for failed login patterns
• [ ] Verify 2FA is working (test login)
• [ ] Review any lockouts (legitimate users?)

Monthly Tasks

• [ ] Review and update IP whitelists/blacklists
• [ ] Check temporary users (delete unneeded)
• [ ] Export Activity Log (for records)
• [ ] Review plugin settings
• [ ] Test recovery procedures

Quarterly Tasks

• [ ] Full security audit
• [ ] Review all whitelisted IPs (still needed?)
• [ ] Update password on critical accounts
• [ ] Generate new 2FA recovery codes
• [ ] Review and update username blacklist
• [ ] Check Activity Log database size
• [ ] Test disaster recovery procedures

Annual Tasks

• [ ] Complete security review
• [ ] Rotate custom login URL
• [ ] Review all user accounts
• [ ] Update security documentation
• [ ] Train users on security practices
• [ ] Audit access control rules

Disaster Recovery

Before Disaster Strikes

Document everything:

• Custom login URL (encrypted, secure location)
• IP whitelists (who and why)
• 2FA recovery codes (secure storage)
• Email provider credentials
• Admin credentials
• Emergency procedures

Have backup access:

• Multiple administrators with 2FA
• FTP/database access credentials
• Hosting account access
• Emergency contact list

Test recovery:

• Quarterly: Test FTP access
• Quarterly: Test database access
• Annually: Full disaster recovery test

Emergency Procedures

If site is compromised:

1. Immediate:

• Enable site-wide blocking (whitelist only your IP)
• Change all passwords
• Review all user accounts
• Check Activity Log for unauthorized actions

1. Investigation:

• Export complete Activity Log
• Identify attack vector
• Assess damage
• Document timeline

1. Remediation:

• Update WordPress/plugins/themes
• Remove any malicious code
• Reset all user passwords
• Force 2FA setup for all users
• Review and tighten security settings

1. Post-incident:

• Update security procedures
• Communicate with users (if needed)
• Implement additional safeguards
• Consider professional security audit

Defense in Depth

Guard Dog is one layer of security. Complement it with:

Server Level

• ✅ Keep server software updated
• ✅ Configure firewall properly
• ✅ Use HTTPS/SSL
• ✅ Secure SSH access
• ✅ Regular server backups

WordPress Level

• ✅ Keep WordPress core updated
• ✅ Keep all plugins updated
• ✅ Keep themes updated
• ✅ Delete unused plugins/themes
• ✅ Use security headers

Application Level

• ✅ Use Guard Dog features
• ✅ Strong passwords
• ✅ Regular backups
• ✅ Malware scanning
• ✅ File integrity monitoring

Network Level

• ✅ Use CDN (Cloudflare)
• ✅ DDoS protection
• ✅ Geographic blocking
• ✅ Rate limiting

Human Level

• ✅ User education
• ✅ Security awareness training
• ✅ Phishing resistance
• ✅ Social engineering awareness

Common Mistakes to Avoid

❌ Setting and Forgetting

Wrong: Enable Guard Dog features and never review them again

Right: Regular reviews, update settings based on activity logs, maintain documentation

❌ Too Restrictive Too Fast

Wrong: Enable all features at maximum security immediately

Right: Gradual rollout, start lenient and tighten based on needs, communicate with users

❌ No Documentation

Wrong: Only one person knows the custom login URL and security setup

Right: Secure documentation, multiple administrators, emergency procedures

❌ Ignoring Activity Logs

Wrong: Enable logging but never review

Right: Regular log review, act on patterns, use logs for troubleshooting

❌ Weak Passwords with 2FA

Wrong: “2FA makes password strength irrelevant”

Right: 2FA and strong passwords, defense in depth

❌ No Recovery Plan

Wrong: Lose 2FA device and recovery codes with no backup plan

Right: Recovery codes in secure storage, multiple admins, documented procedures

❌ Sharing Access Links Publicly

Wrong: Post temporary user access link in email, Slack, public forum

Right: Secure sharing only, encrypted messaging, password managers

❌ Never Testing

Wrong: Assume everything works without testing

Right: Regular testing of 2FA, recovery procedures, backups

Compliance Considerations

GDPR (EU)

Guard Dog can help with GDPR:

• ✅ Data security (required)
• ✅ Activity logging (accountability)
• ✅ Access control (data protection)

Your responsibilities:

• Update privacy policy
• Inform users about data collection
• Provide data export capability
• Honor data deletion requests
• IP addresses = personal data

PCI DSS (Payment Cards)

If accepting payments:

• ✅ 2FA required for card data access
• ✅ Activity logging required
• ✅ Access control required
• ✅ Password complexity required

Guard Dog helps with these requirements.

HIPAA (Healthcare)

If handling health data:

• ✅ Access control required
• ✅ Audit trails required (activity log)
• ✅ 2FA strongly recommended
• ✅ Automatic logout required

Guard Dog provides these features.

Industry-Specific

Check your industry requirements for:

• Multi-factor authentication mandates
• Log retention periods
• Access control standards
• Password complexity rules
• Incident response procedures