WordPress security best practices

If you’re active in the WordPress community you might have noticed the recent debate on improving security within the ecosystem, specifcally how WordPress handles updates. As the debate heated up, Automattic CEO Matt Mullenweg posted about what he thought were the most important security issues facing WordPress as a whole right now.

As CEO of the commercial arm of the WordPress project, not least one of the two original WordPress developers, it’s worth listening when Mullenweg speaks. He raised the following points as the most important aspects in keeping WordPress websites secure right now:

“A good order of priority based on impact would be:

• Sites not updating core.
• Sites not updating plugins.
• Sites not updating themes.
• Weak passwords, without brute-force protection or two-factor authentication.
• Hosts (professional or ad-hoc) not scanning and fixing sites.
• Hypothetical issues not seen in practice, which distract from the above existing priorities.”

 

With WordPress powering something approaching a third of websites today, it’s no wonder the software makes an attractive target for hackers; which is why we take security seriously. In light of Mullenwegg’s recent post, I thought I’d go over how we take care of each of the points raised and what you can do to improve your own website security, too.

Sites not updating core

Core refers to the main WordPress files. When a new release of WordPress comes out, if you’re hosted on our Managed WordPress hosting platform, we update this for you by default on the night of the release for all minor releases. For major releases, you can choose when to update, either the night of the release, next day, or a week later.

Sites not updating plugins

Likewise, we take care of updating your plugins in an automated fashion. It should be noted that we only update plugins that are listed in the WordPress repository or that have integrated into the WordPress updater system (for example Gravity Forms). The code of some paid plugins sits behind paywalls that we can’t access, which means we can’t update those plugins.

If you use a paid plugin that requires you download code from behind a paywall, you will need to ensure you’re always on top of the latest release of that plugin. The best vendors will always notify you when you need to upgrade. If you need help with selecting the best plugin, paid or free, just let us know – we’re always happy to advise on the best and brightest.

Just like with WordPress core, you can specify a delay to updating plugins to allow testing. In extreme cases you can choose to opt out of the automatic update of a specific plugin, though this is not recommended.

Sites not updating themes

We feel this needs to be be handled by the website owner and so don’t automatically update. In an ideal world everyone would code their theme changes in separate child theme. Sadly though, it’s not a perfect world and people often hack code changes directly into the parent theme. If we were to to automate theme updates like core and plugins, we’d risk overwriting a raft of user made theme changes.

Worried about automatic updates?

You shouldn’t be, the vast majority of updates happen silently and you never notice, if there are issues we are on hand to help. In addition, with our staging site feature, you can test updates on staging by having it update immediately and your live site delayed by a day, giving you that extra peace of mind.

Weak passwords, without brute-force protection or two-factor authentication

The standard security suite on our WordPress accounts protect against brute force login attacks out of the box. We also offer 2FA protection for our own website, and do recommend activating 2FA directly on your WordPress account if so inclined.

As for the password component, we leave that in our client’s hands. We don’t enforce any specific password configuration, or expire passwords at set intervals. We know first hand what a pain it is to have to comply with an arbitrary password policy. Moreover, enforcing a random upper case character or number in a password doesn’t really increase security. If anything it only makes some users feel a false sense of enhanced security.

Extra bonus points: when we create a brand new WordPress account for you, we don’t assign a default ‘admin’ user. Instead we assign you a random username which also defends against brute force attacks. If you can’t remember your assigned username, you can login to your WordPress account via our own control panel with one click, and of course you can update it within the WordPress dashboard at any time. Just avoid the all too common default admin user.

Hosts not scanning and fixing sites

We run daily scans of all our managed WordPress hosting accounts and check plugins which have been opted out or are unable to be automatically updated against https://wpvulndb.com. Moreover, we’re always on hand to help you recover, if you do experience a hack. With that in mind we run automated daily backups of all our WordPress hosted sites.

We also advise to plan for the worst and hope for the best. That means you should also take backups of your site routinely, keeping safe offline copies, and testing them every so often. This means no matter what happens, you’ll always be protected in the worst case scenario.

You can use our snapshot feature to take a copy of your site at any time. You can also download your snapshot for safe keeping offline. You can restore backups to the staging area of your plan too, to test if your backup works as you expect.

Hypothetical issues not seen in practice, which distract from the above existing priorities

We’ll stick to fighting real security threats for now, but if you do ever have any security queries about hypothetical issues with your 34SP.com hosting, just drop us an email to support@34sp.com – we’re always happy to advise!