Website breaches can cost millions of dollars and thousands of hours to remediate. Joe Brown, Five Nines Director of Marketing Operations, knows firsthand. In his career, he has worked with businesses to remediate breaches where a small WordPress vulnerability was the culprit. If a couple of basic and relatively cheap steps were taken, the breach could’ve been prevented. Read more to see how you can improve your website security and performance before the new year!
Be mindful of who has access to the backend of your website and at what level. Think through the roles of your team and divvy up access from there. If your Marketing Specialist posts blogs, make them an author, if they post financial reports or change content on webpages, make them an editor. Admins can edit everything including users and credentials so you should be very selective when determining who should have that access. Another good rule of thumb is requiring two-factor authentications for all accessors. Joe suggests MiniOrange 2 Factor, which integrates directly with WordPress.
Another access tip he has is to avoid using the default "domain.com/wp-login" WordPress domain for your login screen. This is one of the primary ways hackers attack WordPress sites. The WPS Hide Login plugin is how Five Nines avoids the threat of that basic login screen. In this case, if a hacker finds a user password, they will then need to find the login page which is now hidden.
Lastly, CloudFlare is a paid filter for websites. It sits on top of the website and filters every single request your site gets. As a good practice, Joe does not allow users outside of the United States to access the website. This protects it from hackers originating from outside of the country that are hungry for your data. The unintended bonus of utilizing CloudFlare is that it drastically improves your site's performance and speed, especially on mobile devices.
Maintaining your website properly is the key to ensure no threats are originating from the inside. This involves many moving parts including plugins, a staging environment, and regular backups. If you are the webmaster (person accountable for the website) of your site, you need to prioritize these three things at a minimum.
Plugins are one of the leading causes of breaches, broken websites, and information being leaked. At a minimum, plugins should be updated weekly. It's as simple as logging in, going to the Updates tab, and pushing “refresh." If there is an update, it takes one minute to put it in the staging area, test it, and push it live.
The staging environment is a clone of your site where plugins can be tested in a safe environment before pushing it to production. Companies like Flywheel are a great resource to utilize when it comes to setting up staging areas.
Lastly, backing up the contents of your site is imperative. If a plugin breaks or you need to make a change, you want the peace of mind to know that have the ability to revert to a previous version of your website.
To hear further explanations of the concepts above, watch the recording of our Tuesday Tech Talk.