What About Patching?
No-one will argue the impotance of patching and fortunately since WordPress relase 5.5 in 2020 t just got alot easier. This is because of the introduction of auto-updates which are user controlled.WordPress Enable Auto-Updates
Users can select all or some of their plugins and choose a bulk action of clicking enable auto-updates and fuggedaboutit!. Of course there maybe some updates that don’t play nice that may have licensing issues or want you to manually backup your site before an update. In this case you’ll have to always keep an eye on these. On the subject of backups, its really important to have a backup strategy which we’ll discuss in the next section. Under the three tenets of security Confidentiality, Integrity and Availability (CIA), backups fall under availability and are in-scope for this discussion.
What About Backups?
You can never be paranoid enough in my opinion about backups. It may sound obvious to back things up but the reality is over 50% of the time it’s not done right. Common errors include not backing up the database and site data, only backing up locally on the site and only creating one or two backup copies that are a day or two old.
Every time, I would opt for a hosting provider or 3rd party solution. Admittedly, there’s a cost and there’s configuration work such as opening firewall ports, entering database credentials and setting rules but believe me it’s worth it and particularly so if you’re running mutiple sites.
On the backup rules front, I would choose three backup copies, 1 for the previous day, 1 for the previous week and 1 for the previous month. The rationale being, that if your site was hacked and you didn’t notice or you were on holiday for two weeks, you could still recover. It’s also common to run backups after midnight of your target market’s timezone to avoid site slowness.
If you choose not to use the hosting provider package and stick to free plugins, just pay attention to the restore process and space issues with backup storage. When you store locally on your site or to dropbox/Google Drive, space can run out quickly and restoring can cost money when you thought it was free.
How Do I Block Spam?
Spam started life as a Monty Python Flying Circus sketch on the BBC in 1970 as a nod to Spam and it’s questionable salubrious properties.Monty Pythons Take on SPAM circa 1970
The name stuck and became an early term for unwanted online solicitation in the 80’s. Today it’s the lifeblood of hackers and Spam has morphed into phishing, malware, click fraud and other threats as it often carries dangerous links in the email body.
From a WordPress perspective, your wordpress contact form is ground zero for atackers. My approach here is to turn on Google Recapcha on your forms and enable Akismet anti-spam. Both are quite effective (while not foolproof) at limiting spam. Read our article How to Stop SPAM to find out more about stopping unwanted email.
How Do I Protect my Content?
Protecting your content, particular original images and text is likely important to you. Froma legal standpoint it can be difficult to discover and take action on copyright infringers particularly in different jurisdictions to the point that it might be cost prohibitive to even try.Protecting Content on Your Site
Technically speaking there are countermeasures which are reasonably effective. WP Content Copy Protection & No Right Click is one plugin that may help you here. This plugin can effectively block content from being copy and pasted and visibly watermark images thereby protecting reuse. You can read more about it’s features by clcking on the link here. There are lots of granular features for roles, alerts and pages which can be included/excluded from protection, hence a good option if copyright is something you worry about.
Another approach is password protection for certain posts and pages using WordPress’s native visibility option when saving which is a bit blunt force as method of controlling access to content. It’s really designed for smaller installations where paid content is not a concern. If your looking for more acces controls with options for paid content access then a membership plugin like memberpress maybe a better option. There are lots of membership plugin options out there but memberpress ranks well.
Are There Other WordPress Security Steps?
Yes! Depending on your level of comfort, it’s a good idea to setup a CDN like Cloudflare which is primarily setup to speed up your site but includes security features such as DDOS / Botnet protection, SSL certificates, GEO Blocking, DNS Security, Site uptime monitoring and others. The advantage of Cloudflare is that many features are free and easy to roll-back on if they create unintended consequences.
SSL Certs are particulary important here, as they are now required for any kind of online purchasing on your site and to avoid “site insecure” messages in the site address bar when visitors land on your site. The choice of what type of SSL cert to get often comes up. If your looking for a green padlock symbol in the address at the purchase stages on you site then a paid Extended Validation (EV) cert is what you need. If you run a blog site or customer trust in your websites authenticity is not that important, then a free certificate from “Really simple SSL” would work.
It’s important to not that free certs generally have a 90 day vailidity period while paid certs are generally valid for 1-2 years, hence less maintenance.
Another area of security that might be of interest to you is domain privacy. This is usually an option at the domain name purchase / renewal stage where you can mask ownership information of your domain. A useful feature if you want to prevent spammers targeting you to get into your site.
Ensure that your Data Privacy and Cookie Compliance notices are published on your site. “GDPR/CCPA Complianz” is a free plugin that may help you here. Security compliance is important from a legal perspective but also from a customer trust level standpoint. If you hold data on EU citizens or California residents your site will be subject data privacy and cookie laws of some description.
Lastly security is an ongoing activity and needs constant supervision, which is why its important to monitor Wordfence on a weekly basis and configure alerts on Cloudflare or (other health monitoring service) for when your server goes down for example or a Denial of Service attack (DDOS) as another. It’s good practice to setup a dedicated email address such as firstname.lastname@example.org to capture the differents types of alerts as they come in so you or the support team can act.
Alot of information to digest but prevention is the optimal solution in security, worst case scenario, customer data is compromised on your site and your subject to fines, loss of customer confidence, regulatory supervision and long term reputational damage. Better to act now and limit your risk as much as possible.
Do you need help with your website?