Securing WordPress: How to Make WordPress Websites Secure
One of our favorite content management systems (CMS) by far is WordPress for its versatility and usability. That being said, a recurring question on many of our clients’ minds is how to make a WordPress website secure, especially in industries that deal with sensitive information on a daily basis. As a result, WordPress website security has always been a top priority for us during our WordPress website builds.
Our Best Practices for WordPress Website Security
You don’t technically need a team or agency to keep your website secure. However, you should have someone within your organization tasked with staying on top of updates and website security issues. If not, you’re leaving your website exposed to hackers and countless vulnerabilities. To prevent this, we at Bytes.co employ a defense-in-depth strategy and follow best practices to keep our clients’ WordPress websites secure.
Always Use Strong Authentication
First and foremost, we always require our hosting clients to have strong passwords, and offer two factor authentication when requested. The strongest passwords are those that use a mixture of non-sequential uppercase and lowercase letters, numbers, and characters. Best practices also say to avoid using any public knowledge, such as your company name or domain, in your password.
For our clients, security breaches typically occur when password best practices are not being followed. Even if the client created a strong password, if that password is being reused on another website, hackers may try to use that breached username and password on many other websites as well.
Seeing as strong passwords are often difficult to remember, we highly recommend using a password manager such as LastPass. To further strengthen your WordPress user accounts, consider two factor authentication by Duo or WordFence. Two factor authentication simply means that you have to confirm your identity twice before logging in somewhere– once with your password, and again by entering a security code from another device. This simple extra step when combined with a strong password makes a hacker’s job that much harder.
The Importance of Software Updates
Why are software updates so important? When targeting a website, most hackers look for well known vulnerabilities. This means that software companies are likely already aware of the issue and have created or are actively working on a security update. The responsibility then falls on the user to perform the update after its release.
To keep a WordPress website secure, users need to make sure that they’re performing updates on their WordPress core, themes, server, and on any plugins that they may have installed. While WordPress Core has a dedicated security team, potential vulnerabilities may lie within other layers of a WordPress website, such as in its plugins or themes. WordPress plugin vulnerabilities are an especially common route for attacks.
Additionally, it’s important to be aware of a plugin’s origins. For example, most plugins found in the WordPress Plugin Directory are likely safe to install on your website. Third-party plugins may present more of a risk, as they may not be as well reviewed for any potential vulnerabilities. When selecting third-party plugins, it is important to choose trusted vendors that actively support and maintain their products.
WordPress now also has the ability to perform automatic updates. Although helpful, this alone is not enough to keep things running smoothly. Without testing prior to implementation, automatic updates can break the functionality of your website and go unnoticed.
If you’re already a managed hosting client, have no fear. With our managed hosting services, we regularly check for and run updates on your website. We also have the ability to apply these updates first in a separate environment before pushing them live on your public-facing website. However, with our basic hosting plan, the responsibility to update plugins and WordPress core lies with the client.
Search & Test for Known WordPress Security Vulnerabilities
Another security strategy is to actively search for known vulnerabilities on your WordPress website. One essential tool is WPScan, which looks for many possible vulnerabilities hidden in your website’s layers.
When run, WPScan will identify any known vulnerabilities that may be present on your website. WPScan can also send direct email notifications of newly discovered plugin vulnerabilities. This helpful feature makes it possible for you or your support team to quickly take preventative action. All of our hosting clients on WordPress are already protected by WPScan, and our team of web developers are well equipped to patch any vulnerabilities that may be discovered.
At clients’ request, we also offer penetration testing via a partnership with a third party company. A penetration test can evaluate your website’s current level of security, identify potential areas for exploitation, and provide you with an idea of next steps to better secure your WordPress website. By employing both a proactive and reactive approach to website security, your website will be better equipped to handle any potential cyberattacks.
Invest in Web Application Firewall (WAF) Security
For even more security, we strongly recommend that all of our hosting clients invest in a web application firewall (WAF). A WAF inspects inbound web traffic to help search and identify things in your website’s traffic that look like attacks, and then blocks them.
We are increasingly promoting the Cloudflare WAF for this, as it helps keep our clients’ websites safe, online, and protected from bots and any unwanted traffic. Cloudflare as a company is developing quickly, and is making great strides in the website security realm. Recently, Cloudflare WAF proved its worth by helping to protect websites from the Apache Log4j vulnerability by preemptively blocking early attacks.
Enable Automated Backups
Although backups are not a preventative measure when it comes to website security, they are an important way to save your WordPress website in case of an attack. All of our hosting clients have automated backups of their websites. We run backups on a daily basis, and periodically test them to ensure that everything is running smoothly.
Without daily backups, you could lose out on all of the work, time, and money you’ve put into your website – effectively devaluing one of your organization’s greatest assets. We run our backups during our clients’ lowest daily traffic times, usually between the hours of 2:00 and 4:00 AM.
Manual backups are inadequate, as it’s easy to become lazy or to forget to run them. Automated, daily backups help to ensure that no more than a day’s work on your website is lost. This helps to minimize any potential damage to your website, and helps to ensure that your backups stay current.
Prioritize Website Security
All in all, there are a lot of moving parts when it comes to keeping your WordPress website secure. Even though there’s no one time solution when it comes to website security, it is essential for organizations to make security a priority and find the most cost effective ways to add layers to their defense.
In today’s online world, data and website security is more important now than ever before. Knowing that your hosting provider will be there to help in case things go wrong is invaluable. We pride ourselves on being that trusted host for our clients.
Our team of web developers are experts at building and securing all kinds of WordPress websites. Contact us with any questions regarding WordPress website security, or if you are interested in learning more about our hosting and support services. Feel free to reach out and schedule a website consultation with us – it’s free!