WordPress Security Checklist for Businesses
WordPress now powers 30% of all websites with a 60% share of content management systems, up from 23% in 2015. Websites are routinely attacked to infect website visitors as well to attack the companies that host these sites. Attacks include, SQL injections, cross-site scripting, brute force attacks, social engineering to get direct user access, server, OS and plugin attacks. Thus, WordPress security, and website security generally speaking, needs to be a priority for companies to prevent a variety of attacks on your website. Website attacks can result in down websites, corrupt websites, and customer infecting malicious websites.
There are a number of things that companies need to do to provide adequate website security. Using overlapping website security is always recommended. WordPress websites have a number of components to them that must be secured, that includes: WordPress, MySQL databases and WordPress plugins (from a multitude of vendors). On top of that, you have your content that must be secured, such as web pages, blog pages, calendars, events, images, media etc. Then lastly, you have web developers and marketing people that access the back-end of your site that need to be controlled to prevent unauthorized access and unauthorized changes to your site.
There are three main security concerns for websites. Outside attacks on MySQL, WordPress or Plugin vulnerabilities, corrupt or lost data, and by signing in as authorized users and getting complete control of your site. Checkout this recent blog on how to make your website visibly more secure and increase sales.
Checklist of WordPress Security Solutions
- Patch Management
- Keep your software up to date. Updates are made nearly every week. If you website has not been updated in months, you are vulnerable to attack.
- WordPress provides an auto update facility which should be used or regular updates by your web developers. Regular backups of your system and data will prevent potential issues caused by updates.
- Regular Backups of WordPress, plugins and your data using a Plugin (we like UpdraftPlus)
- Frequency of backups depends on frequency of content changes by your team
- Backup retention should be at least 1-3 months to avoid any issues from unintended updates
- User Control
- Set user access roles to reflect the users need to make changes (a User Role Editor Plugin can add role granularity)
- Add 2-Factor Authentication to login (this is a must). Many Plugins exist for this [see our recommendation below]
- Blog Comment Spam control
- Spam is annoying, can create unwanted outbound links and can add malicious code to your website.
- If you don’t need comments, turn it off. If you do, moderate and only post what you believe is safe. Avoid outbound links
- Use a comment spam control security Plugin [see below] to remove obvious spam
- Add a Security Plugin
- This may be the single best thing you do to increase security
- There are several, but the one we use is Shield Security for WordPress. And BTW, it is free and amazingly good.
- Shield provides:
- Hacker intrusion protection
- Multi-factor (2-factor) login control, plus Login bot protection & user access management
- Website Firewall
- Blog comments spam control
- WordPress core file lockdown
- External IP blacklisting (including automatic blacklisting)
- Security audit trail and forensics
Non-WordPress Specific Website Security Considerations
- Visible Website Security
- Changing your Website to HTTPS with an Extended Verification certificate will make your site visibly more secure and also improve overall security even on information sites.
- Server System Protection
- Your core operating system (Windows server or Linux) is vulnerable and can bring down your website or be used to infect your WordPress system
- Solutions include server anti-malware (AV) solutions and firewalls
- Denial of Service Attacks
- There a number of cloud based and on-premise DDoS attack solutions to protect sites.
- Higher profile sites and critical usage sites should deploy these solutions.
- Consider a Web Application Firewall to protect your website from outside attackers
- These devices intercept outside requests and look for attacks and block them
eSecurity Solutions provides its customers solutions for all areas of security. Your website may be your weakest link and should be a priority to improve. Even an informational site can be attacked and can be used to attack your company and your customers.