.svg)
Security Best Practices
Keep your sites secure when using GrootMade
Security Best Practices
Follow these guidelines to maintain security while using GrootMade products.
API Key Security
Do's
- ✅ Use separate API keys per site
- ✅ Rotate keys periodically (every 90 days)
- ✅ Revoke keys for decommissioned sites
- ✅ Use environment variables for keys
Don'ts
- ❌ Share API keys publicly
- ❌ Commit keys to version control
- ❌ Use the same key across all sites
- ❌ Share keys with untrusted parties
Storing Keys Safely
// wp-config.php
define('GROOTMADE_API_KEY', getenv('GROOTMADE_API_KEY'));Or use a secrets manager like:
- AWS Secrets Manager
- HashiCorp Vault
- Environment variables
Update Security
Keep Auto-Updates Enabled
Auto-updates are your first line of defense:
- Security patches applied immediately
- Vulnerabilities fixed before exploitation
- No manual intervention required
Review Major Updates
For major version changes:
- Test on staging first
- Review changelog for breaking changes
- Backup before updating
- Have rollback plan ready
Security Update Priority
| Priority | Response Time |
|---|---|
| Critical | Immediate |
| High | Within 24 hours |
| Medium | Within 7 days |
| Low | Next update cycle |
Plugin Security
Our Security Measures
Every product in our library:
- 🔍 Scanned for malware before publishing
- 🔒 Checked for known vulnerabilities
- ✅ Verified GPL licensing
- 🔄 Re-scanned on updates
What We Check For
- Backdoors and malicious code
- Obfuscated code (red flag)
- Known vulnerability patterns
- Suspicious external connections
Your Responsibility
- Keep all plugins updated
- Remove unused plugins
- Review plugin permissions
- Monitor site behavior
WP Security
Essential Practices
Use Strong Passwords
- Minimum 16 characters
- Mix of letters, numbers, symbols
- Unique per site
- Use a password manager
Limit Login Attempts
Install a brute-force protection plugin:
- Limit failed attempts
- Add CAPTCHA
- Use 2FA
Regular Backups
Backup before any major changes:
- Daily automated backups
- Store off-site
- Test restoration
File Permissions
Recommended permissions:
| Item | Permission |
|---|---|
| Directories | 755 |
| Files | 644 |
| wp-config.php | 440 or 400 |
| .htaccess | 644 |
Security Headers
Add to your .htaccess or server config:
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"Hosting Security
Choose Secure Hosting
Look for:
- Free SSL certificates
- Web Application Firewall (WAF)
- Malware scanning
- DDoS protection
- Regular backups
Server Hardening
- Disable directory browsing
- Block PHP execution in uploads
- Use SFTP, not FTP
- Keep server software updated
Incident Response
If You Suspect a Breach
Isolate — Take the site offline if possible
Assess — Check access logs, modified files
Clean — Remove malicious code, update all credentials
Restore — Use clean backup if available
Harden — Implement additional security measures
Report — Notify affected parties if required
Reporting Security Issues
Found a vulnerability in GrootMade or our products?
Responsible Disclosure:
- Email: [email protected]
- PGP key available on request
- We respond within 24 hours
- No legal action for good-faith reports
Security Resources
Recommended Tools
- Wordfence — Firewall and malware scanner
- Sucuri — Website security platform
- WPScan — Vulnerability database
- VirusTotal — File scanning