Security is a broad topic that covers several areas and potential attack methods. An attack can be directed at your network, at your server, or at your visitors. Being vulnerable to attacks is unfortunately a reality for all websites, but with the right precautions and active security efforts, you can thwart any breach of your WordPress website.
What does it really mean to be hacked?
Being hacked usually means that someone has gained access to your website to insert their own code or content. Once the hacker has access to the site, they insert malicious code or content that can do different things depending on what the target is. It can be anything from taking the website offline to spreading malware and performing DDoS attacks. An intrusion can also redirect visitors to other websites, use your website to spread advertising or redirect payment systems on e-commerce sites.
How to build a secure website?
The security of a WordPress website starts with hosting. When you place your site with a hosting company that doesn’t have the necessary security, your site could be at risk if another customer on the same server has been attacked. When choosing a hosting service or needing to set up your own servers, there are a few things to consider:
- Use a server firewall.
- Feel free to use a WAF service like Cloudflare.
- Keep server information away from unauthorised people so that only experienced IT staff can access the server.
- Never connect to the server from an unsecured network, e.g. public Wi-Fi networks in train stations, etc.
- If you must use FTP, make sure to do so over SSL. This is usually called SFTP or FTPS, depending on the protocol.
- Always create unique databases for each installation so that a hack of one site does not result in complete database access to other sites.
- Make backups of the database and web root files as often as possible, especially just before making a change.
- Use secure passwords and avoid reusing them. Feel free to use a password manager.
Use encrypted transmission, SSL
Encrypt the communication between the visitor and your website, this is shown by your URLs starting with https:// instead of http:// as is otherwise the case. HTTPS (also known as SSL/TLS) is usually a requirement for e-commerce as it allows you to verify that the website you are communicating with is actually what it claims to be and that no one has changed the information along the way. When setting up an SSL certificate, you must ensure that it is valid and issued by a trusted certificate authority. If these requirements are not met, the browser will refuse traffic to the site. A good way to test the security of your SSL setup is to use the Qualys SSL Server Test.
To ensure you choose the right platform, a senior DevOps expert with a good understanding of security needs to review your platform, your server and network infrastructure, and your existing setup to ensure it’s configured correctly. This will inform you if any services need to be updated or if you are using an insecure hosting service. If the setup is not up to scratch, we suggest safer and more reliable solutions.
Have an expert review your plugins and themes
An audit of your WordPress installation, theme and plugins may need to be performed to ensure the security of your installation. This allows you to examine and read the code to find potential holes that could be exploited by hackers. Our skilled WordPress experts can perform these investigations to find where the security holes are and suggest safer alternatives as well as implement strategies to secure your web platform in the future.
Maintain the security of your site
A website that is secure today is not necessarily secure tomorrow. Therefore, it is important to continuously update and check your website to ensure that security is maintained and up-to-date. A security contract for regular audits and monitoring can therefore be a good idea. It gives you a complete overview of the existing setup and ensures that updates, plugins and integrated services are kept secure.
Minimise the risk of being hacked
- Always keep your firewall and virus protection up to date. By protecting your own computer system, you take the first step to not expose your website to security issues.
- Use up-to-date versions of integrated software. If a version of an app, plugin or widget hasn’t been updated for over a year, it might be better to look for another option that is updated and reviewed regularly.
- Use current versions of the CMS. Older CMS versions may contain security holes that can be exploited.
- Use hosting companies that routinely review your security.
- Never enter password information on websites that you have navigated to via email links. Remember, no legitimate company will ask you for account information via email.
- Keep tools like WP-CLI, drush, etc. up to date. If your CMS has installation files that are not needed after installation, these should be deleted.
- Never underestimate how attractive your website can be to hackers. It only takes a moment to gain control of an unprotected website. Your website being on the internet is enough for you to be a potential target.
- Use a WAF like Cloudflare. This will protect your installation against most attacks, even those you haven’t had time to patch if the attack vector is known.
How can we help you?
Our team of senior DevOps and WordPress experts can help you strengthen the security of your website and server platform. We can give you concrete suggestions for improvements to strengthen security and help you implement them. In most cases, it will cost you many times more to strengthen the existing platform compared to just switching. We use Synotio WordPress hosting which is a fully managed solution. After years of experience in the industry, we have developed a number of tools that protect WordPress installations and report potential attack vectors so that we can proactively work on security. Together, we deliver a high quality service where we take responsibility for testing and operating the customer’s installations and servicing the customer’s solution. Contact us for a security audit or read more about our maintenance agreements.
Want to know more about how Angry Creative can help you ensure your WordPress site is secure? Book a meeting with our CEO, Jimmy, today!