WordPress Strategy – Part 1: Security

We look at defining a four-stage strategy for WordPress website development, starting with website security.

Here’s some advice that I give to most of my clients, as it’s essential to website creation and development: You need to have a plan for your website.

My clients typically know what they’re looking for in a broad outline sense, but they rarely offer a considered plan or details on how they’ll achieve their goals. That’s why I’m putting together this four-part blog series on WordPress Strategy, covering key considerations when building a business website.

Without an established strategy, the result is often the same. For example, the creation and maintenance of the website are more complex than expected, and it takes a longer time to grow an audience, and in turn, you miss out on potential customers.

I build WordPress websites around a four-point strategy, which I’ll discuss in this and future articles. For the time being, I’ll be excluding e-commerce (WooCommerce) websites, as I have additional strategy points specific to e-commerce sites that I’ll look to explore in another blog series.

The four pillars of a healthy, clean and prosperous site are security, optimisation, content, and search engine optimisation.

In this article, I’ll cover WordPress security.

Security In Practice

I regularly encounter clients with insecure websites that fail to meet even the bare minimum web security standards. These clients fall into one of two categories:

  • Technical Understanding: clients I encounter often engage me simply because they don’t have the technical knowledge required to maintain their website, it’s content and it’s security. It’s not for a lack of wanting.
  • Lack of Interest: in some rare cases I encounter clients that have adopted the “it’ll never happen to me” approach to their websites security. On the other hand they simply don’t see their website as a security concern. Sorry to say, have I got some news for you.

It’s important to ensure that the security of your website is forthright and front of mind when starting on your WordPress website development journey. Don’t leave it until it’s too late.

Website Security In Perspective

I want to give you a little perspective on website security: Jenkins Digital blocks hundreds of attacks of varying types every day on our client’s websites.

That doesn’t even factor in the thousands if not tens of thousands of visits from malicious robots that we mitigate through baseline security configuration. Website security is no joke.

In addition to the apparent protection of your site against attacks, you also have to consider the protection of data that you’re storing on your website. Bots will actively probe your website seeking to identify and exploit vulnerabilities that might grant them access to sensitive customer information stored on your website. This information could be something as simple as a newsletter mailing list, to highly sensitive customer information.

These bots can also consume your server resources and, in turn, slow down your site for honest, potentially paying users. Slower speeds impact the user experience and increase the risk of abandonment while browsing/buying.

Keep It Secure

As with all security-related articles, I’ll say it once: installing that free plugin that “handles security on its own” is not enough.

You should seek to take a security in-depth approach to the security of your website. Is the dedicated server secure, have you disabled the SSH account (if present), does the server feature a Web Application Firewall (WAF) and are you proactively reporting on and reviewing your website’s security.

Here are some tips (among others) to keep your site secure:

  • SSL/TLS Certificates: Ensuring that your customers are accessing your website over a secure (https) connection is absolutely essential. There is simply no excuse for not having an SSL/TLS Certificate installed on your website, yet I often find clients have overlooked this critical requirement.
  • Modified Login URL: Out of the box wordress uses well known paths such as /wp-login and /wp-admin for users to login. Modifying these URL’s helps protect your website from automated attacks targeting those well known URLs.
  • Block XSS: Cross site scripting (XSS) is a common attack vector used to inject and run malicous code on your website. It’s a common threat that can be mitigated with ease, and you should do so.
  • Blacklist Bad IPs: There are plenty of extensive IP blacklists that have been identified as malicous users or being used by malicous bots to attack websites. It’s important to utilise these services to block these IPs from accessing your website.
  • Automatic Logout: You should terminate user sessions automatically within a short period of time, for example 24 hours. Less if you’re handing sensitve information. That way, if a user navigates away without logging out, their authentication will be invalidated automatically.
  • Rotate Security Keys: It’s good practice to regulalarly roll (update) your security keys. This means that even if a security key is compromised, it’ll be mitigated the next time your keys are rolled.
  • Utilise A WAF: Most hosting providers offer a Web Application Firewall (WAF) as standard, if they don’t, find another host. A WAF helps protect your website against known threats.
  • Regular Patching: It’s the easiest step to take to protect your website. Ensure that your plugins, themes and WordPress itself are regullarly updated. Doing so means that you’ll be secured against any known vulnerability for which the vendor has issued patches for. Just don’t forget to back up prior to running updates.

This list is not an exhaustive one, and you should make every effort you can to secure your WordPress website. Cyber Security is an ever-evolving issue and requires ongoing vigilance. In our next post, we’ll be looking at WordPress Optimisation.

Please consider sharing this post: