WordPress Security Checklist: Verify Your Site is Protecting Your Business Mark Davoli Director, Web Development Published: May 4, 2021 3 min read Categories: Performance Creative WordPress and other content management sites often get blamed for security issues. But that logic is short-sighted. Maintenance ownership, reputable plug-in updates, leading DSN providers, and more all play a role in keeping your WordPress site safe. While it’s intuitive to invest in your business’s physical security, digital security is just as important. Creating a proactive, actionable security plan that encompasses the many, long-term facets of site protection is what can keep your business and customers as secure as possible. Table of contentsChecklist: Is your WordPress site secure right now?Audit Your Plug-InsEnsure Two-Factor AuthenticationOwn Security MaintenanceStreamline your Development ProcessUtilize Leading DDoS Mitigation Solution Cloudflare Checklist: Is your WordPress site secure right now? We’ve created a quick checklist with expert recommendations so you can see for yourself. Is your company currently… Running the latest version of only reputable plug-ins?Using a web application firewall (WAF)?Implementing two-factor authentication whenever possible?Understanding ownership and responsibility of security maintenance?Streamlining your development and review process?Utilizing Cloudflare, a leading DDoS mitigation solution? If you’re unsure about any of your answer above, continue reading to learn more. Audit Your Plug-Ins Reputable, up-to-date plug-ins are your primary line of defense. The bulk of vulnerabilities happen from third-party plug-ins. And once installed, immediately plan to keep them updated. Even reputable plug-ins can be vulnerable if they’re defunct and no longer supported. It’s very common to launch a website and never worry about your plug-in maintenance. Suddenly, years have gone by, and you’re running ancient plug-in versions with known security issues. If that’s happened with your WordPress website, make a plan. Prioritize auditing and updating all plug-ins ASAP. We recommend Wordfence as the best-in-the-business endpoint web application firewall plug-in. Providing protection that compliments cloud alternatives, it employs user identity data for greater security coverage. As a premium security plug-in, they frequently receive the latest threats and are the first to announce vulnerabilities, investigate, and offer solutions to resolve them. Ensure Two-Factor Authentication Whenever possible, make sure that you’re utilizing two-factor authentication (2FA) for added security. With millions of bots trolling for vulnerabilities, 2FA creates a more substantial barrier to protect your information. Most popular websites offer a 2FA option. Check your high-priority accounts in their settings section to see if it’s an option — and make sure it’s enabled. Own Security Maintenance Security has many moving parts. Who owns your WordPress security? How is it being scheduled, tracked, and updated? Develop a process to prevent security issues proactively. And prioritize maintenance. For example, is someone reviewing not only your WordPress code but also the code from third-party vendors? It seems simple enough but developing the bandwidth to consistently review can be easier said than done. Streamline your Development Process Mitigating risk is the basis of WordPress security. Proper development chains with staging environments for testing separate from production environments can help ward off unwanted issues. It seems common sense to always test any updates before deployment. But office life is busy. And with a million other things to do, it can feel like you don’t have time to follow the proper process “just this once.” Before you know it, the informal process is to consistently bypass pre-production testing because it’s faster and thus better. Faster is not better for security. Streamlined communication, thorough testing, and reliable process are best. If you’re moving too quickly to test, you’re opening the door to vulnerabilities and much more time-intensive problems later. Utilize Leading DDoS Mitigation Solution Cloudflare DNS provider Cloudflare was recently named a “Leader” in the Forrester Wave™: DDoS Mitigation Solutions, Q1 2021 for their best-in-class security solutions. Masking the IP of your origin server, Cloudflare can uniquely help protect from bot-initiated traffic attacks. There are no absolutes in site security — but there are fundamental ways to mitigate risk. Partnering with leading experts is one of the best ways to make sure that your WordPress, or any site, is as protected as possible from an ever-changing array of vulnerabilities. Not if, but when your WordPress is poked and prodded for security holes, having prioritized maintenance and developed proactive solutions will have been the best way to keep your site safe. Our checklist hits the highlights and isn’t meant to be a comprehensive audit of your WordPress security. But if this initial list has alerted you to possible vulnerabilities, please feel free to reach out to us. Our team of well-respected, passionate leaders is always excited to talk through sustainable digital solutions to protect your growing business.