It’s important to keep people that don’t belong from gaining access to your website and file system. Additionally, keeping your site online during an attack. We have a checklist of common settings that wards off attacks and keeps your website as safe as possible.
Implementing WordPress security best practices requires additional security plugins. Plugins that force you to follow best practices, like two-step authentication, HTTPS/SSL, file permissions, password complexity, and others. They also protect you from brute force attacks.
You are busy and might not have time to review and react when a vulnerability is found. We monitor vulnerability announcements for all code and plugins used by our clients so that severe vulnerabilities can be patched as quickly as possible.
The main software platform officially released by WordPress is updated on a regular basis. These updates include usability improvements, security patches, and performance boosts. It’s important to stay on the latest version.
The WordPress plugin directory contains 55,000+ plugins. Some WordPress installations have over 20+ plugins installed. Any one of those could have a vulnerability and if it isn’t updated, your site could be at risk.
The wait and see plan isn’t good enough, security should be an important part of being a good digital citizen. Sites we manage are updated monthly, saved safely in source control (SCM), and tested by a human.
Software is patched monthly and settings are reviewed. After code is updated on a staging server, we have our team review the changes and update the live site.
Monthly reports are sent to each of our customers notifying them that we have completed the updates and if any issues were found.
WordPress isn’t hardened by default. Working with someone that doesn’t take security seriously might leave it that way. This doesn’t make WordPress insecure, most platforms are not entirely secure out of the box. Security starts with code and also involves your web server, password policies and best practice adoption (like two-factor authentication). With the right configuration, your website can be secure.
Simple answer… Fix it. The cost of fixing code that is broken due to an upgrade is far cheaper than dealing with any kind of security issue. If you are at a point where you can no longer update your website because of breaking changes in your code, this is not where you want to be. Even if a plugin needs to be entirely replaced, it’s still a good idea.
If too much time goes on before updating your WordPress plugins, you might be at significant risk. Once a vulnerability is found, it becomes pubic knowledge. Hackers can easily exploit sites that don’t maintain their plugins with nasty attacks using Cross-Site Scripting (XSS), SQL injection, code injection or other attacks all designed to cause you havoc.
Securing WordPress should be approached from the code, the server, and the configuration. At a minimum you should:
NOTE: If PCI or PII information is stored on your website there are additional steps that should be taken.
Someone managing your site should focus on security. Weak security practices and bad code affects Drupal the same amount as WordPress. There is no such thing as a secure platform that does everything out of the box. In case you haven’t heard about Drupalgeddon2, a bug in Drupal allows remote attackers without special roles or permissions to take complete control of Drupal 6, 7, and 8 sites.
New vulnerabilities are discovered all the time, either you or your agency should subscribe to a vulnerability database like WPScan. With a subscription, you can get real-time notifications when vulnerabilities are found. Our team knows the plugins used on each site that we’ve built and for customers that are using our WordPress update service they get their site patched quickly afterward.
We’d be happy to create a game plan for keeping your site secure.