Keeping your WordPress website secure
The team at Neworld has been building websites for our clients since 1995. In those days websites were extremely basic, consisting mainly of tags for headers, paragraphs, and links. By the mid 90s HTML had advanced to support features such as background colours, font sizes and table-based web page structures allowing content to be placed into invisible boxes. This meant that we had more control of the positioning of images and text which allowed some basic level of layout and design. It was still a far cry from style sheets, content management and responsive design.
Xtra-vision’s lovely site featured animated GIF icons and a counter.
Over the decades as technology has evolved we have built sites using a variety of operating systems, databases and software but in recent years the majority have been built on the WordPress platform. WordPress is an open source website creation tool that was originally designed to help people publish blogs. It has come a long way since it’s early days as a blogging engine and for many years has been a full-fledged web development platform, supporting the design and production of tailored sites with quite complex page structures, interactive features and beautiful visually engaging interfaces, that can be easily content managed.
What this means is that WordPress sites can be designed, built and then handed over to the client so they can add and update content on their own. Once a WordPress site is built, carrying out regular edits and updates is a matter of using a menu similar to a MS Word and dragging and dropping images and files.
WordPress is now the most popular content management system (CMS) on the internet, which has encouraged the evolution of an active community of developers who have created a myriad of plugins and themes. Integrating new functionality into a WordPress site can be as simple as installing a plugin, and there are plugins that cover a huge range of features from e-commerce to image galleries.
With this popularity comes questions about security. WordPress itself provides extensive provisions for operating a secure web application. (Find out more ») Where vulnerabilities can arise is the demarcation between WordPress, the web agency, the website developer, third-party developers (of plug-ins, themes, etc), the hosting provider and the client.
Anyone can buy an off-the-shelf template but companies that are brand aware will turn to a web agency to create a unique site that addresses the needs of their audiences and is tailored to drive sales and marketing. The website developer is responsible for building a bespoke theme that is secure and if plug-ins are required, installing ones with a good security reputation. Third-party plug-ins in particular need to be chosen carefully because they need to be updated by their developers and the version installed on the server also updated when needed.
If the client provides their own web server directly or through a third-party hosting provider, it is still necessary to regularly update the WordPress software and any plug-ins installed on the server. The hosting provider is responsible for updating the underlying server software including OS, database, hardware and networking infrastructure. The configuration of the operating system and the web server hosting the software is vital to keep the site secure.
The hosting provider is also responsible for uptime of the server. Typically hosting providers offer between 99.5% and 99.9% uptime but every server will suffer some downtime. Sites can be setup to include a Content Delivery Network (CDN) service which will distribute static cached versions of the site to local geographic locations to mitigate downtime and to speed up the site. If the site is down, the CDN service can be setup to serve pages from the cache. CDN providers also offer services to secure the Domain Name Server (DNS) to avoid domain hi-jacking, and provide Distributed Denial of Service (DDoS) protection. A security plugin can be installed to monitor and block intrusion attempts but if security is a particular concern then the hosting should include a Web Application Firewall (WAF).
Best practice comes into play in terms of managing and limiting client user access to the CMS. This applies as much to client staff access as to any third party partner access. It is not only about having processes in place but implementing and policing them to ensure site editors don’t share passwords or reveal them inadvertently (whether by writing them down on a post-it note or by storing them in an unencrypted format on lost or stolen laptops or USB sticks). It is important to ensure that client staff PCs, mobile devices and email systems are secure so that passwords and access details for the site CMS and server are not compromised. CMS access to the client site administrators can be locked down and limited to one location by way of IP addresses and can be setup with only limited editor roles rather than full administrator access. Two-Factor Authentication can also be implemented to verify logins. To provide further confidence it would also be recommended to carry out website penetration testing on a once off or regular basis.
There are multiple vectors for website attacks targeting web server infrastructure including site software, third party plug-ins, database, DNS, file transfer protocols (FTP) and social engineering vulnerabilities. The more high profile the site, the higher risk there is that it is likely to attract particular scrutiny. It is definitely advisable for sites not to store personal data or sensitive documents, but it is difficult to avoid including submission forms or ecommerce services.
But most attacks come from automated bots which the security precautions and keeping the site, plug-ins and server up-to-date, will help guard against.
David Jordan – Digital Director
David set up the dedicated digital division of Neworld in 1999 and oversees the strategic approach, creative design and technical development of digital projects from websites to moving graphics and on-screen presentations.