It’s important to understand that there is no “set it and forget it” solution for security. With the freedom to use a wide variety of custom code in the form of themes and plugins, also comes a great responsibility. Security is a partnership Smart Robbie shares with our customers. With that in mind, there are a number of best practices we recommend for all WordPress websites.
Stay Up to Date
A simple oversight in updating your plugins can be a big deal. Plugin vulnerabilities represent 55.9% of the known entry points for attacks. Keeping your plugins and themes up to date is easily the most important step to maintaining a fast and secure WordPress website.
Keeping WordPress core up to date is also crucial to your site’s security. At Smart Robbie we handle core upgrades for you via our maintenance plans.
If keeping plugins up to date is too time-consuming or often causes your site to break, we offer different level maintenance plans. This service keeps your plugins up to date, creates backup checkpoints and runs visual checks to ensure no updates are pushed that will break you site.
Choose Plugin/ Themes Carefully
It is important to have a discerning eye when it comes to choosing the theme and plugins your site will use. Each addition to your site contributes more code, which translates to more potential security flaws as well as extra pieces to maintain and update.
For similar reasons, you should also be certain to always fully delete any plugins or themes you are not actively using.
A good first step is to ensure you download your plugins and themes through the WordPress.org repository, since these are subject to their stringent approval process.
Look for plugins and themes that:
– Are actively maintained
– Have been recently updated
– Have a wide and happy user base
– Provide user help in the Support section
Not only are you more likely to have success with these plugins and themes overall, but these are also the most likely to respond quickly should a vulnerability be discovered.
Enforce Additional Login Authentication
Your administrator accounts are the gateway to the backend controls of your website. A simple way to double-down on security for your users to use two-factor authentication (2FA), multi-factor authentication (MFA), or offload logins to a specialised system entirely with single sign-on (SSO). These security options require your users to verify their identity with a second method, beyond a simple username and password.
For example, two-factor authentication might require you to enter an additional rotating code from an app on your phone. An attacker might be able to brute force your username and password, but they still would be unable to access your site’s administration area if they didn’t guess the right code at the exact interval.
There are several plugins to help with this on your WordPress site:
Adhere to the “Least Privilege” Principle
The “Least Privilege” principle means users should only be given the access level they need to perform their core role and nothing more.
If you are an Administrator on a WordPress site, the responsibility of determining the access level of other users falls to you. Be extremely strict with users who publish content, and especially with other Administrators. Ask yourself: does this user truly need this level of access in order to perform their core role?
Learn more about WordPress user roles here.
If you are a developer on a website, your responsibility is to ensure your code is adhering to WordPress Coding Standards and using core WordPress APIs where possible.
Proactive Security Through Monitoring
Both uptime monitoring and file integrity monitoring are proactive strategies to keep your site secure and available. For example, our hosting offers Site Monitoring add-on, which can alert you should your site experience an outage.
File integrity monitoring keeps you aware of any file changes made to site code. Plugins like Sucuri Security, Wordfence and Stream can monitor file changes on your site.
Uptime monitoring services like Pingdom and UptimeRobot will notify you if your your site is not behaving as expected.
Increasing awareness allows your team to respond as quickly as possible if the unthinkable happens.
Tools like Google Search Console help by monitoring your site’s reputation and health, to notify you if your site ends up on any blocklists.
NOTE
Our hosting monitors basic server health of all websites and backs up your site nightly, making it easy to restore your site if needed.
Employ Network-level Security
Our hosting providers priorities stable and secure websites. While many of these changes happen behind the scenes, the most recent network advancements have been made available to you as opt-in upgrades. The network upgrades route your website at a DNS level through additional security and performance layers at Cloudflare, all managed by our hosting provider..
The advanced network utilises our custom blend of Cloudflare features to improve the speed, scalability, and security of your website. Best of all, the advanced network upgrade is provided at no charge to all WP Engine customers.
Global Edge Security (GES) is the Enterprise-grade performance and security add-on available for all hosting plans. With this paid add-on you will receive several features powered by Cloudflare.
