At Flashlight, we spend a lot time (and give a lot of thought to) protecting our customer’s websites. We’ve worked out the specific critical things that every WordPress site owner should be doing to cover all the bases, and keep their websites running!
Are you doing ALL of these things to protect your WordPress website?
Do you know all the different remote vulnerabilities that can be exploited by an attacker who wants to control your website? Don’t worry, neither do we – we leave that to the experts. For security we pick a best-of-breed tool (our pick is WordFence) which is built by security professionals who spend a lot of time and effort securing WordPress.
The minimum security features that your site needs are:
- Firewall: a web application firewall is a must to protect your WordPress site from remote threats. It does this by blocking attackers in real time. It needs to frequently update itself in order to always guard against the latest threats.
- “Brute Force” Blocker: a popular brute force attack on WordPress is when an attacker writes a script to attempt many logins on the site, in order to guess usernames and passwords, and thus gain administrative access to your site. A good brute force blocker should be able to automatically block: after multiple failed login attempts; if the “forgot password” feature is used too much; leaking of info about usernames on the system.
- Optional: Manual Blocking: sometimes you want to be able to block specific conditions. For example, maybe you offer commission on sales, and someone might be spamming your products everywhere. Without even knowing who they are, you could block the traffic that originates from their links. Another example might be to block older web browsers that are not secure.
Beware though – unless you are relying 100% on default settings, you probably should not attempt to configure security products yourself. It is easy to get it wrong, and this can be worse than no security at all, because it provides a false sense of security. Read Next Steps (below) to see how to solve this problem.
A website can die for any number of reasons. You might have mistakenly messed something up yourself, or your provider might have reconfigured the server that hosts your site, destroying it by human error (it happens). Perhaps your site was deleted for non-payment, or maybe your domain name expired.
There are many awful scenarios, and the best insurance is to have your site regularly backed up when one of them strikes (which it almost certainly will, sooner or later).
We’ve found Updraft Plus to be an ideal mix of ease-of-use, automation, and power under the hood.
How often should you back up? Well it depends on how critical your site’s data is to you. But a good rule of thumb is to backup at least daily, and to keep at least 3 of the most recent backup files at any given time.
A word of warning: There are multiple distinct areas of a WordPress site that need to be regularly backed up in order for the site to function when it is restored. These include the site database, plugins, themes, uploads, and other custom content. Be sure you are backing up every aspect of your site.
3: Offsite Backups
This is so important that it deserves a section of its own.
To be most effective, your backups should be stored off-site, in a secure location – ideally cloud-based and completely external to your hosting account or domain name, so that you can access it even in the event of catastrophic failure (or if you forget to pay your provider).
Cloud storage is cheap these days, and you should be able to store several backups of your whole site for a very affordable fee. See Next Steps below for details on how to get started with offsite backups.
One of the most overlooked ways of opening WordPress to attack is to let your installation get out of date.
All the themes, plugins, translations, and the WordPress Core itself, are software products, and thus prone to bugs and vulnerabilities. The authors of these products regularly update them in order to stay secure, and if you want to protect your WordPress site you need to keep all parts of your site updated to the latest versions.
When a security vulnerability is discovered in a software product, it is either exploited or reported, depending on who discovered it. Either way, the exploit eventually comes to the attention of the developer, who updates the product and makes a public announcement about the fix. But people who choose not to update the software in their site are at risk from the moment the exploit becomes common knowledge.
A solid automated update process that runs on a regular schedule is one of the most important things you can do help keep your site secure and safe from attackers.
Some update functionality is already build into WordPress, but it can require a level of interaction. To see how to automate your updates completely, read the Next Steps section below.
There are many ways to infiltrate a website, and many of these methods involve somehow getting some code up to your site, and running it.
A regular scan of all the code files in your website can help to discover any such scripts or unsafe code. A good scanner can automatically detect and “quarantine” code that is used in known attacks, or it can alert you when something suspicious (even if it is unknown) needs your attention.
You might want to steer clear of tools that assume you are an expert. Some scanners present you with detailed scan logs that you have to manually read and interpret in order to determine if there is a problem. While those scanners are obviously very powerful, they are not very useful in helping a site owner (who isn’t a qualified security professional) to manage their website.
One of the worst feelings is hearing news that your site is down (or hacked) from your customers. Monitoring is essential so that you are the first to know when something goes wrong, and can act before any customers are affected.
The right monitoring strategy depends on how mission-critical your website is, but a good rule of thumb is that if your site goes down you should know within 5 minutes.
Do not send monitoring alerts to an email address that is handled by your site. Imagine if your site goes down because your domain expired… you don’t want alerts going to firstname.lastname@example.org if mydomain.com is down, because they will simply disappear!
The above measures are valuable, but you don’t want to be sifting through logs just to try and figure out how your site is going. Each tool should be able to report back to you to give a clear picture of any issues.
Some important reports that your site should tell you about:
For your information:
- when attempted attacks are blocked;
- when someone logs in with admin privileges;
- when backups are completed;
So you can take action:
- when suspicious files are found;
- when updates are completed (so you can check your site still works ok with the all the updates);
- when updates fail;
- when your site goes down;
You and I both know that unless all of the above can be done automatically there is not much point to it. We are all far too busy to spare the several hours per day that it would take to look after a website properly, running security scans, doing updates, making backups, reading logs, and more.
To be effective, you need all of the above tools, but more importantly you need them to run completely hands off. As long as they can send you status updates as they go about their work, or alerts when things need your attention, you will be able to get on with your important work, and go in to your website only when needed.
The goal of this collection of tools is not just to save you time managing your site… with all these properly integrated with your site, they should actually eliminate the need for ANY routine admin of a WordPress site. You can run a safe and secure WordPress site that hums along, without ever going into it, unless specifically alerted.
The above tools actively running on your site with full automation and reporting, such as with Flashlight Solutions’ FlashSecure:WordPress product, can save you many hours per week. Over the course of a year, this can add up to thousands of dollars in saved time, not to mention significantly reduced stress.
You can install and configure each of these tools yourself, but each of them has a list of potential “gotchas”. For real hands-off automation and true peace of mind, there is no substitute for having an expert do it. The FlashSecure:WordPress product will take care of everything, including installation by one of our experts. The product is surprisingly affordable, starting from $15 per month, which pays for itself in the first week, in terms of saved time. However its benefits for keeping your site safe are priceless.