WordPress Basic Security

August 2020 | John Binzak

Overview

Website security is an important topic that most people understand at a high-level and realize that they take action to improve. However it tends to get put on the back burner until there is a fire.

A compromised website can cause serious damage to your business both in the near and long-term. It is possible to see immediate associated cost with fixing the security issue, as well as long-term drops in revenue do to bad brand reputation.

Similar to how a business owner would protect their physical store, you need to protect your digital business with the same effort. In this article we go over five basic security areas that you can take action on immediately.

Keep Tools Up To Date

Most of the modern web today is built from open source tools. This means that tools are constantly evolving and being updated. WordPress is a prime example of this.

By default, WordPress will automatically install minor updates, but for major updates you need to manually initiate the update. How will you know when a new update is released? You can always check with us, but the main way you will determine this is through your own website. WordPress notifies users through the admin dashboard when a new release is ready.

These WordPress update are extremely important for the security and stability of your website. Security patches are made almost regularly. You need to make sure that your WordPress plug-ins, themes, and core website are up-to-date.

WordPress is built in PHP. So that means you need to update PHP as well when new releases are available. Security patches are made with pretty much every new version of PHP and skipping these update leaves your site vulnerable. How will you know when a new PHP version is available? You can either check in with us or the PHP maintainer website.

Strong Credentials

The most common hacking attempt is to steal passwords. So not only is it a good idea to avoid simple passwords, but it is also important to have a policy around frequently changing passwords. Now don't worry you don't need to change your password every day. However change your password every 90 days is a good rule of thumb.

Not only do you need to consider WordPress user passwords, you need to also manage the passwords for your infrastructure. This includes the password to your database, the password to your FTP account, and the password to your hosting solution.

User Privileges

Not only do you need to worry about your passwords and your account being compromised, you need to also worry about the accounts of your teammates. The first step is obviously making sure people follow password policies. The second step is making sure that each of your teammates has the correct permissions. To make it simple, reduce who has admin access to your WordPress website.

You should make it a policy of reviewing the user accounts on your website at least every 90 days. Remove the users that no longer need access and change the permission of users when applicable.

Website Hosting

The hosting solution you use for your WordPress website place and equally important role in the security of your business. This includes services such as Bluehost or more configurable infrastructure services such as AWS.

If you are not familiar with managing custom infrastructure then you are better off using and out of the box solution. Good web hosting services continuously monitor their network for suspicious activity and help prevent simple security issues.

Another consideration with WordPress hosting is the concept of backups. If your site does face a security issue and the state of your site has been modified are you able to revert before the security attack? With automatic backups, you would be able to do so. Some solutions offer this as a service, possibly for a fee, while other solutions do not. So depending on your budget you may want to consider this.

Depending on your current technology stack and your roadmap, you might want a more robust and configurable cloud computing environment. However if you are just focusing on the hosting of your WordPress website we recommend WPEngine. They are the most popular solution for simple WordPress hosting.

HTTPS vs HTTP

Using a SSL certificate not only adds security to your website, it also add trust. HTTPS protect users against man-in-the-middle (MitM) attacks. Hackers use a technique like this to steal your customers sensitive information.

Implementing HTTPS, by using a SSL certificate, secures any data transmitted between your web server and the browser being used by a user interacting with your website.

In most modern browsers a green padlock Will be displayed on a secure site that uses HTTPS with a valid SSL certificate. This simple visual cue gives confidence to your users that their data is safe.

Summary

Website security is an important and ever evolving topic, however these five basic security concepts are constants and should always be addressed. It is best practice to create a re-occurring task to revisit all of these at least every 90 days.

There are always new ways for hackers to attempt to steal or compromise your data and website. More advanced security measures can be implemented to help prevent security breaches. We address some of the more advance measures in other articles, but for now we hope these basic checks help make your website more secure immediately.