Owning a business isn’t easy. Many of us are singlehandedly juggling a storefront, customer inquiries, a website, social media, advertising strategies, accounting, and more throughout the course of each and every day. We strive to keep each plate spinning smoothly enough that we have the chance to grow an often unnoticed and underappreciated act into an attraction that has lines going around the block.

Unfortunately, this approach rarely does any of these tasks justice. There’s a reason entire professions are centered around several items on business owners’ to-do lists, but many of us continue to take the entire list on in the hopes of saving a few bucks to keep the lights on. As a result, we never seem to have the free time to master more than the craft that got us started.

While it’s easy to look in from the outside and say “you should delegate half of this list”, money is frequently limited when you’re starting out. Having an IT department or even a single professional on the payroll is often just not in the budget. Things on the to-do list start getting sacrificed so you can keep up, and many people choose to sacrifice attention to their business website because of these and similar assumptions:

  • It’s already built and live, so no attention is needed
  • It isn’t an integral part to growing my company
  • SEO is constantly changing, so it isn’t worth keeping up with it

All of these conclusions are false. If you aren’t willing or able to hire an expert to manage your business website, then it’s up to you to become the expert for this core element of your business. Your first step toward this is understanding the value of your business website. The second is understanding the basics of how to secure it – especially if you are one of the millions who built a website with WordPress.

While we’ve discussed why WordPress is the gold standard in web design, its popularity has the drawback of making it a popular target for bots and hackers that seek to distribute malware and twist your hard work toward their own gains.

Naturally, this also means there are a lot of WordPress security practices to keep track of. We’re going to distill them down to 5 of the most important ones you can manage yourself. All you’ll need is some basic website knowledge and the willingness to make time in your schedule.

Checking for updates is the cornerstone of WordPress security

WordPress security and release updates
If you’d like to explore what this looks like in more detail, you can click the picture to get a closer look.

The ticket information is going to be very technical, but will give you some insight as to how WordPress issues are reviewed.

Sometimes a WordPress version hangs around for a few months without any changes. Other times a new release lasts as little as a day. No matter how quickly the most recent version is replaced with something a little better, however, there’s always going to be a changelog explaining what was fixed and oftentimes why.

These explanations include security vulnerabilities.

Out there, in the open for anyone and everyone who wants to see it, from honest developers to conniving hackers. Failing to regularly check for updates is the single biggest reason I’ve observed for websites being compromised, and it is completely avoidable.

WordPress isn’t the only thing you need to monitor either. Plugins and themes will often also update at erratic intervals for many of the same reasons WordPress does, including the addition of new features, overall performance improvement, and security updates. If a plugin or theme hasn’t updated in a long time, this is usually a HUGE red flag.

That said, this doesn’t mean you should update blindly when updates do become available. Curious as to why? Let me elaborate.

Know what you’re installing or updating

Bookshelf full of books
Time to visit the stacks.

WordPress is a complicated machine made up of relatively simple parts from a slew of manufacturers. The general framework is always similar, but the finished result varies dramatically from website to website. It’s also only as secure as the weakest piece of your website.

If you’re aiming to be WordPress security conscious, you need to be able to reasonably assess where vulnerabilities can exist in your website. Fortunately, this doesn’t mean you need to be a coding genius, or even competent with code. You can achieve similar results through good old fashioned research!

How does one go about starting this you ask? Here are a few of my recommendations:

  • Google the plugin/theme/WordPress release you’re curious about
  • Look for support forums for your plugin/theme to see what other users are experiencing
  • Read the patch notes for all updates to see what is being changed
  • Review Sucuri’s WordPress Security and Vulnerability Disclosure blog sections
  • Take a look at Wordfence’s blogs about WordPress security exploits and vulnerabilities too

This is by no means an exhaustive list, but there’s a lot of good information in these places that can help you become much more informed quickly and easily – especially if there is a zero-day vulnerability or problematic interaction with another plugin/theme that would cause you more harm than good when installing or updating.

If you do find a vulnerability, you might see it measured by what’s known as a DREAD score (especially with Sucuri). While these can be fairly subjective on a scale from 1-10 (10 being the most harmful), you can get an idea of how dangerous a potential problem is and how much damage it is capable of. Other mnemonics like STRIDE exist as well – but the general idea of threat assessment is going to be similar no matter how it is dressed up.

I could go into more detail about why you should stay informed beyond this point, but I think I’ve gotten my point across. For those looking for the short version, my message really just boils down to this simple checklist:

  • Set some time aside to log into your WordPress site every week
  • Review available updates (including patch notes) for WordPress and your installed plugins/theme
  • Check to make sure said updates don’t have known issues associated with them
  • Research how something new is likely to behave with your current tools before installing

You’ll save yourself a lot of time, grief, phone calls, and dollars in the long run by following these steps. Trust me.

Install only what you need for your website

While this looks cool, it is ridiculously overcomplicated for the task at hand.

Longtime readers know that I’m fond of the expression “an ounce of prevention is worth a pound of cure”. This maxim is the guiding principle for virtually all types of security, and WordPress security is no exception.

Preventative practices can take a few different forms in the online world (pretty much all of my list today qualifies), but few are as simple (or ignored) as the idea of only using what you need for your website to function. We all know there are a lot of very cool WordPress plugins out there, but do you really need that second type of contact form or third set of WYSIWYG tools?

Of course not. We’ve talked about less being more when it comes to a WordPress website’s performance, but the same is also true when discussing WordPress security. The less code there is in a website, the fewer opportunities there are to exploit it. It’s really that easy.

For those who have more established websites, don’t forget that needs can change for a website over time. If you have a plugin installed that isn’t actively contributing to your website anymore, take a moment to uninstall it. Ditto for unused themes. The benefits of good housekeeping are just as apparent online as they are at home, and they bolster your security to boot!

If you’re having trouble choosing which tools should stay or go, general guidelines suggest that you should avoid using more than 20 plugins and your chosen theme/child theme on a given website. From there, organize what you need your site to have versus what you want it to have, and use those points to help with the more difficult decisions.

Set up firewalls and an SSL certificate

Security warning screens
Website warnings like these are the fastest way to discourage prospective customers.

We’ve talked about this time and again already, so I won’t linger on this topic long, but that doesn’t make it any less important when discussing proper WordPress security. If you haven’t read our earlier posts, here’s a quick breakdown of what website security tools bring to the table:

Malware Scanners

Reputable malware scanners look over your website files and/or database regularly, checking for malicious content and cleaning it up. Sucuri’s team is among the best out there for this task, as they’ll also go in for manual reviews/cleanups if their automated scanner misses something, and they’ll do it at no additional charge. You can also find their services in our store.

Web Application Firewalls (WAFs)

Similar to what you use for your computer or smartphone, a WAF is designed to help protect your website from malicious traffic, software, and other intrusion. These come in a few different flavors, but the two that will matter most to you are endpoint (or host-based) firewalls and cloud-based firewalls.

Endpoint firewalls like Wordfence aim to filter out malicious content from your website’s hosting platform. This lets them protect against a wider array of attacks, but if something still manages to compromise your website, the firewall is compromised along with it. Endpoint firewalls also tend to put additional stress on your hosting platform’s resources when running since they run on the server itself.

Cloud firewalls like Sucuri and Cloudflare are tailored to protect you from malevolent traffic that uses your domain name to access your website. While this will prevent a lot of unwelcome bots and malware from ever reaching your website’s hosting platform, if they decide to go after your website using a different method (like your hosting server’s IP address), cloud firewalls offer you zero protection.

Content Delivery Networks (CDNs) are often included with cloud firewalls to obscure your server’s IP address information and improve load times for users around the world, but there are ways to look that sort of thing up if someone is truly determined to do so. That said, I usually still prefer cloud firewalls if I have to choose, as they are external to your website and don’t put additional strain on your server to operate.

Both types of firewall are still going to be very useful for protecting your website, despite their drawbacks.

SSL Certificates

SSL certificates encrypt data exchanged to and from your website. While the most important data this applies to is personal information like credit card numbers and customer details, you’ll also receive protection for WordPress logins, searches on your website, contact forms, and more. You also receive a slight SEO boost and look more trustworthy in browsers too!

Avoid sharing your hosting space with other websites

Earlier, you might remember me saying that a WordPress website is only as secure as its weakest piece. As it happens, the same is also true for the websites you operate on your hosting platform.

Secure safe door
Even if your business website or front door looks like this, if you leave your other websites or entry points unguarded, this impressive security door won’t do you much good at all.

Hosting companies make it very tempting to save a few bucks by giving you the ability to run unlimited websites on one cPanel, Plesk installation, or proprietary setup (so long as your server resources can handle everything you’re doing). What they often don’t tell you is that by taking advantage of this, a compromise within one website will usually infect all of your other sites too.

As an example, let’s say you have a business website and a personal blog on the same hosting plan. You follow all the security steps I’ve laid out for your business website because it brings in your paycheck, but decide not to do so for your blog because it’s just a fun side project.

Your hosting setup is very similar to a computer – there is a folder where you put website files for your main website, and there are other folders and/or subfolders where you put the files for additional websites. If one of your subfolders gets infected by malware, it’s incredibly easy for it to just jump over to neighboring folders – including the main folder housing your subfolder.

Put another way, securing one website out of many is like buying a lock for your house’s front door, but leaving your windows open. Vandals aren’t going to care how strong the front door is when they can gain easy access to your home another way, and the chaos they cause will be just as problematic.

So protect all sites on a hosting plan if you’re going to be protecting any. Securing only some of the websites on a server is basically the same as securing none of them.

I haven’t looked at my website in years, can you help me build a secure one?

Secure web design is something we strive for with all our clients, and we’d be more than happy to lend a hand with your project. Swing by our website design page to learn more about what we can do for you or get in contact with us directly for a FREE consultation.