Security

You know it makes sense

You might not leave your house unattended with the doors and windows wide open, but would you leave the front door key under the front door mat, or a piece of string hanging from the letterbox or beneath the nearest flowerpot?

Web site security is no different in many ways from the way you secure your home or place of work.

Your primary goal is to prevent entry to any undesirables who might steal your valuables and/or wreck the joint.

Even if you have a good backup policy, the aim is not to have to restore your site from a backup by keeping it protected in the first place.

How do hackers gain access?

They use the backdoors and windows of opportunity provided by poor hosting and outdated plugins, themes and WordPress.  Choose your hosting company carefully, keep your website up to date, backup regularly and don’t use nulled themes or plugins on your site.  Hackers use software which scans the internet seeking out neglected sites with known vulnerabilities.  They then exploit the vulnerabilities they find to deface or infect those sites.

Keeping your site up to date

WordPress can be set to update as soon as an update becomes available.  You can set themes and plugins to update automatically as well.  There are times when updates can break something on the web site though.  Hence the recommendation that you take regular backups so you can roll back if something goes wrong.  You might also want to use visual regression monitoring to keep an eye on your site for any visual changes caused by automatic updates.

Security Monitoring

You may want to be alerted to any issues on your site.  Sometimes the problem is not a plugin which needs to be updated, but one which has a recently discovered vulnerability and needs to be removed until a more secure version or alternative is available.  Depending on the version of PHP used on your website hosting, flaws can be discovered in older versions which make it essential that you upgrade.

Regular Backups

Most good hosting companies back up your site on a regular basis so you can roll back if anything goes wrong.  It’s always a good idea to install a plugin which updates your site before updates take place, on a scheduled basis or manually before making any major changes to the site.  Web site backups can also be sent to Google Drive, DropBox, One Drive or other 3rd party storage.

Security Scanning

Hosting companies often provide security scanning software via CPanel, Plesk or similar control panels.  You can use an online scanner such as Sucuri Site Scanner, scan your site using security plugins like Wordfence or AntiMalware within WordPress, or use a 3rd party security scanner like Malcare or Virusdie.

Even though allowing automatic updates will keep your site up to date, there will inevitably be ocassions when a plugin or theme contains a vulnerability and has not yet been updated.  This is where scanning for known, but unpatched, software is important.  Patchstack is a paid service that provides security patching and has a free tier that just informs you of the vulnerability.   It is important to know that Patchstack does not scan your site for malware, only for the presence of plugins known to be vulnerable.

Secure Passwords and 2FA

Using a hard-to-guess user name and complex password  for administrators and editors is the first step is securing access.  Make sure you also add a First Name and Last Name in the user profile and change the ‘Display Name Publicly As’ to something other than the usual name.  Wordfence includes Two Factor Authentication (2FA) which you can activate for the login page and you can also use your Recaptcha key (available free from Google) on the login and registration pages of your site.