Steps You Can Take to Secure Your Site
The security practices of both WordPress and WP Engine help to protect your site from a wide vector of attacks. However, it’s important to understand that there is not a “set it and forget it” type of solution for security. It is not a simple issue. With the freedom to use a wide variety of custom code in the form of themes and plugins, also comes a great responsibility. Security is a partnership WP Engine shares with our customers. With that in mind, there are a number of best practices we recommend for websites of all shapes and sizes.
Stay Up to Date
Outdated software is the leading cause of hacked websites and malware. As of Q3 2016, Sucuri reported 18% of all hacked WordPress sites were a result of three primary outdated plugins: Gravity Forms, TimThumb, and RevSlider. Each of these plugins has released secure versions at least a year ago which would have prevented infection. It is important to keep on top of all WordPress plugin and theme updates to ensure your site is secure.
Adhere to the Least Privilege Principle
The “Least Privilege” principle is the idea that users should only be given the access level they need to perform their core role and nothing more. If you are an Administrator on your WordPress site, the responsibility of determining the access level of other users falls to you. It is extremely important to ensure the other users on your site are only given the access level needed. Be extremely strict with users who publish content, and especially with other Administrators. Ask yourself: does this user truly need this level of access in order to perform their core role? If you are a developer on a website, your responsibility is to ensure your code is adhering to WordPress Coding Standards and using core WordPress APIs where possible.
Choose Your Code Carefully
It is important to have a discerning eye when it comes to choosing the theme and plugins your site will use. Each addition also contributes more code to your site, which translates to more potential security flaws as well as additional pieces to maintain and update. For similar reasons, you should also be certain to fully delete any plugins or themes you are not actively using. A good first step is to ensure you download your plugins and themes through the WordPress.org repository, since these are subject to their stringent approval process.
However, you should also be careful when picking from these plugins. Look for plugins and themes that are regularly and recently updated, have a wide and happy user base, and provide user help in the Support section. Not only are you more likely to have success with these plugins and themes overall, but these are also the most likely to respond quickly should a vulnerability be discovered.
Enforce Two-Factor Authentication
Your login page is the gateway to the administrative controls of your website. A simple way to double-down on security for your login page is to enforce two-factor authentication. This method requires users to verify their identity with a second method beyond a simple username and password. For example, two-factor authentication might require you to enter a code that rotates periodically on an app on your phone, in addition to your standard username and password combination. An attacker might be able to brute force your username and password, but they still would be unable to access your site’s administration area if they didn’t guess the right code at the exact right minute. WP Engine offers Two-Factor Authentication for the User Portal, and there are several plugins to help with this on your WordPress site as well.
Proactive Security through Monitoring
Both uptime monitoring and file integrity monitoring are proactive strategies to keep your site secure and available. File integrity monitoring keeps you aware of any file changes made to site code. Plugins like Sucuri Security and Stream can monitor file changes on your site. And uptime monitoring services like Pingdom and UptimeRobot will notify you if your your site is not behaving as expected. Increasing awareness allows your team to respond as quickly as possible if the unthinkable happens. And tools like Google Search Console help by monitoring your site’s reputation and health, to notify you if your site ends up on any blacklists. Remember, WP Engine monitors basic server health and backs up your site nightly, making it easy to restore your site if you ever need to.
Summary: Defense In Depth
Remember: there is no “set it and forget it” solution to website security. The concept of Defense in Depth states that, put simply, you should cover all your bases. Website security is never a one-size-fits-all kind of solution. It is extremely important to secure your site on multiple levels and vectors. The more secure vectors on your site, the tighter your overall website security will be. The idea behind this principle is that, should one security vector fail, the others can still provide the level of security needed. A multi-layered defense could look like: Securing your logins, staying on top of updates, coding according to best practices, using trusted plugins, and using monitoring, all in combination with WP Engine’s enterprise-grade security practices.