WordPress Security

Security is a broad topic that encompasses multiple areas and potential methods of attack. An attack can be directed at your network, at the server, or at your visitors. Being exposed to attacks is, unfortunately, a reality for all websites, but with the right precautions and active security work, you can counteract any intrusions.

What does it really mean to be hacked?

Being hacked usually means that someone has accessed your website, to then be able to insert their own code or content. Once the hacker accesses the website, he or she enters malicious code or content that can do different things depending on what the target is. It can be anything from taking the website offline to spreading malware and carrying out DDoS attacks. A hack can also redirect visitors to other websites, use your website to spread advertising, or redirect payment systems on E-commerce sites.

Building a secure website

The security of a WordPress installation starts with the hosting. When you place your website with a hosting company that does not have the necessary security, your website can end up in the risk zone if another customer on the same server has been attacked. When choosing a hosting service or needing to set up your own servers, there are a few things to keep in mind:

• Use a server firewall.
• Feel free to use a WAF service such as Cloudflare.
• Keep your server information away from unauthorized people so that only experienced IT staff can access the server.
• Never access your server from an insecure network, e.g. public wifi networks at train stations, etc.
• If you must use FTP, be sure to do so over SSL. This is usually called SFTP or FTPS, depending on the protocol.
• Always create unique databases for each installation so that a hack of one website does not result in full database access to other websites.
• Make backups of the database and webroot files as often as possible. Especially right before you make a change.
• Use secure passwords and avoid reusing them. Feel free to use a password manager.

Use encrypted transmission, SSL

Encrypt the communication between the visitor and your website, this is shown through your web addresses starting with https: // instead of http: // which is otherwise the case. HTTPS (also known as SSL / TLS) is usually a requirement for E-commerce as this makes it possible to verify that the website you are communicating to is actually what it claims to be and that no one has modified the information along the way. When setting up an SSL certificate, you need to make sure that it is valid and issued by a trusted certificate authority. If these requirements are not met, the browser will refuse traffic to the site. A good way to test the security of your SSL set is to use the Qualys SSL Server Test.

To ensure that you choose the right platform, a senior DevOps expert with a good sense of security needs to go through your platform, your server, and network infrastructure as well as your existing setup to ensure that it is configured correctly. Among other things, doing this will give you information if any services need updating or if you use an insecure hosting service. Should the setup not measure up, we suggest safer and more reliable solutions.

Let an expert review your plugins & themes

A review of your WordPress installation, your theme, and your plugins may need to be performed to ensure the security of the installation. Doing so makes it possible to examine and read the code to find potential holes that can be exploited by hackers. Our competent WordPress experts can perform these surveys to find where security holes are located and suggest safer alternatives as well as implement strategies to secure your web platform in the future.

Maintaining the security of your website

Security also has a need for maintenance. A website that is secure today is not necessarily safe tomorrow. Therefore it is important to continuously update and check your website, to ensure that security is maintained and up to date. A safety retainer for regular examinations and monitoring can thus be a good idea. It will give you a full overview of the existing setup, and ensure that updates, plugins, and integrated services are kept secure.

Minimize the risks of being hacked

• Always keep your firewall and virus protection up to date. By protecting your own computer system, you take the first step in not exposing your site to security issues.
• Use current versions of integrated software. If a version of an app, plugin, or widget has not been updated within more than a year, it may be better to look for another option that is updated and reviewed regularly.
• Use current versions of the CMS. Older CMS versions may contain security holes that can be exploited.
• Använd hostingföretag som rutinmässigt ser över sin säkerhet.
• Never enter password information on websites that you have navigated to via email links. Remember that no legitimate company will ask you for account information via email.
• Keep any tools such as WP-CLI, drush, etc. updated. If your CMS has installation files that are not needed after installation, these should be deleted.
• Never underestimate how attractive your site can be to hackers. It only takes a moment to gain control of an unprotected site. Your site being on the internet is enough for you to be a potential target.
• Use a WAF such as Cloudflare. This protects your installation from most attacks, even those that you have not had time to patch if the attack vector is known.

How can we help you?

Our team of senior DevOps and WordPress experts can help you strengthen the security of your website and server platform. We can give you concrete action proposals on improvements to strengthen security and help you implement these. In most cases, it will cost you many times more to strengthen the existing platform compared to just changing. We use Synotio WordPress-hosting which is a fully managed solution. After many years of experience in the industry, we have developed a number of tools that protect WordPress installations and report potential attack vectors so that we can proactively do security work. Together we deliver a high-quality service where we take responsibility for testing and operating the customer’s installations and servicing the customer’s solution. Contact us for a safety review or read more about our Maintenance Agreements.