Over the last few weeks I have been asked many times by potential clients about WordPress as it relates to security.
Questions such as ‘Our IT department advised us that WordPress isn’t secure. Should we really be using it?’ or ‘I read an article about WordPress sites getting hacked. Will my site be secure?’ are becoming common, likely due to the overwhelming popularity of WordPress. Online security is more important than ever so these are very valid questions. Let’s take a look and discuss these concerns.
Think of your new WordPress site like a new house in the suburbs. Your builders will put a front door on your house with a nice strong lock, possibly even a deadbolt. That adds some basic security but if we’re being honest with ourselves we all know that this house could be broken into by using a crowbar on the door, smashing a window, etc. WordPress is similar in that the basic install provides some primary security but if you really hope to keep out the bad guys, you need to do a little extra work.
What does Visceral do to keep my WordPress site secure?
We take a lot of extra steps to make sure that the websites we build are secure. We view these things as best practices for building great websites so they’re just part of our overall process, not something we charge extra for.
Note that we’re about to enter the tech realm here so if nerd jargon isn’t your thing feel free to skim this next section and/or forward it to your IT staff if they have concerns.
Malware scans – Sites that we manage are routinely scanned for malware and viruses and reported to us if anything comes up. (Generally 2-3 times a month but this can be customized based on your site’s needs and/or during periods of increased threats)
Brute force protection – Users (most likely “bots”, automated scripts run by hackers) that fail logging in several times in a row with false credentials are locked out.
404 detection – If a user (or bot) is hitting a large number of non-existent pages, they are usually scanning for something (presumably a vulnerability) and they get locked out.
Blacklists – We automatically block traffic from IP addresses and user agents known to be used by hackers and spam bots.
Disable directory browsing – Prevents users from seeing a list of files in a directory when no index file is present.
Unique database prefix – We change the default WordPress database prefix to something other than “wp_”. This guards against bots looking for the default setup.
Unique administrator login – WordPress’ default administrator account is named “admin” which means that’ll be the first thing hackers will try. We rename this to something unique to your site.
Site backups – For sites that we manage we do daily site database backups, weekly full site backups and continuous backups of the server itself. All backups are stored off-site for maximum protection.
What can I do to help keep my site secure?
Glad you asked! Security isn’t just a one-time thing during development. It’s an ongoing process that we need your help with. Here are a couple things that you can do while managing your site.
Set strong passwords – Many Internet users still choose passwords that are extremely simple and easy to guess. For five years running the web’s most popular passwords have been ‘123456’ and, wait for it… ‘password’. This is the digital equivalent of just leaving the front door wide open. Using strong passwords ensures that hackers will have a much harder time getting into your site. They can however be difficult to remember so we recommend a password manager application such as 1Password or LastPass, especially if you have several passwords to keep track of.
Don’t share passwords via email – We recommend that each site user has their own account and password, but if you absolutely must share a password with someone, avoid doing it via email as it’s likely insecure and could be intercepted. If you need to send someone a password consider using an encrypted message service like NoteShred.
Site updates – Any piece of software occasionally needs updates to keep it secure. You’ve likely experienced this yourself if you’ve used a Windows PC anytime in the last decade. WordPress is maintained by a massive community of developers so if security issues are found they’re generally patched very quickly. Keeping everything up-to-date ensures that the site stays secure long after it’s built. Visceral often handles this for our clients as part of our ongoing success plans but it’s likely something your IT staff could take over if they like.
And if I want to go above and beyond?
All of the above items will definitely help but we can go further still depending on how important security is to your organization. The options below generally have additional costs associated with them as they involve 3rd-party services and/or purchasing hardware.
SSL certificates – SSL is the technology used to encrypt data that’s sent over the web. You’ve mostly seen this in action whenever you’ve purchased something online. It’s essential for e-commerce sites but these days it’s recommended for all websites. Google now even uses it as a search engine ranking signal. SSL is relatively inexpensive and easy to setup. Visceral highly recommends adding it to all sites.
Hardware firewalls – Firewalls are security devices that live in front of your website to block malicious traffic. You can think of them as a giant brick wall around your house. Our hosting partner LiquidWeb has some some more information and typical pricing on firewalls.
Content Delivery Networks (CDNs) – Services like CloudFlare offer both optimization for optimal load times and security features like protection against distributed denial-of-service (DDoS) attacks.
Let’s wrap up
What it all boils down to is that WordPress is just a tool like any other. With the right setup it can be powerful, flexible and secure. It’s the most popular CMS on the planet and secure enough to be used by the world’s leading brands, from The Walt Disney Company to CNN and Reuters.
Security is a multi-faceted topic, the scope of which far exceeds this short blog post. We’ve tried to showcase just a few of the things we can do and illustrate the seriousness of the topic itself, but of course each website will have it’s own individual security requirements. Contact us to discuss the unique needs for your site.