WordPress Security Policy

WordPress is a very popular web software application and as such can present a target to attacks to those seeking to exploit the software. Due to this, it’s worth taking the time to be aware of some basic security measures to remove the potential for assailants to gain access.

Security is a trade between functionality, availability and control over access with risk mitigation the primary goal.

Domain Security

Having secure policies at a domain level can reduce the risk of attack before it even reaches the server, reducing the server load and providing more efficient risk mitigation, particularly for protecting Intellectual property (domain Ownership) and DDoS attacks where attackers try to overload a server’s processing capacity.

Piksoul recommends Cloudflare for high traffic and high risk profile sites. Cloudflare’s security services operate at the domain level, making it possible to identify and mitigate threats faster than on-premise solutions.

  • DDoS Protection
  • Web Application Firewall
  • Universal DNSSEC for phishing, malware infections and personal data leakage
  • SSL Certificates

Piksoul only uses high quality registrars for domain name registration and management.

Server Security

A secure server is vital for running any web software. Piksoul uses highly reputable partners to provide secure hosting and maintains impossible to guess password combinations for server administration. All correspondence and server administration is undertaken using encrypted protocols including file transfer.

Our Hosting providers maintain very high levels of security. All servers use:

  • Up to date PHP versions with the latest security fixes.
  • Apache in chroot-ed environment with suExec.
  • Sophisticated IDS / IPS systems which block malicious bots and attackers.
  • ModSecurity protection from the most common attacks.
  • A hardware firewall filtering flooding traffic
  • A local software firewall based on iptables with more complex functions and traffic monitoring
  • All services have a limit for the number of connections a remote host can establish

Malware scanning can be included for sites with a high-risk profile to ensure systems are scanned continuously.

WordPress, Themes and Plugins updates

Keeping WordPress, themes and plugins up to date is essential for security and performance. WordPress updates contain security patches for vulnerabilities, as well as improvements to user experience and functionality.

For complex sites, we recommend deploying updates on a development site. If an update is deployed without conflict, it can be deployed on the live site. For smaller sites, we run live updates and keeping full offsite backups in case there are issues. We schedule time based backups for our clients to multiple sources, the frequency determined under our hosting or support agreement.

Some of the process Piksoul undertakes for core and advanced security of WordPress installations:

  • Daily backups
  • Database prefix obfuscation
  • Hiding admin login page
  • Uptime monitoring
  • Plugin vulnerability monitoring
  • Security Audit Logging
  • Disabling unused functions

Trusted plugins and themes

We only use, and recommend our clients use, plugins and themes that have been well tested and reviewed by our team and the WordPress community. We don’t install plugins that have low reviews or negative comments, as this could be a sign that the plugin developer does not follow good development or security measures. The plugins and themes we do use are very carefully curated and monitored for continuous performance.

SSL Security

HTTPS encrypts traffic sent to and from a server and makes it difficult for assailants to intercept data. For our clients with more active websites, and even for smaller sites, we recommend SSL certificates, and are available to help clients install SSL on their account to help secure and protect onsite data.

When connecting to servers, we use SFTP encryption to encrypt passwords and other data as it is transmitted, so it cannot be intercepted.

User management

Piksoul ensures all team members are removed when they’re no longer accessing the site, and Administrator access is only granted when needed. For example, users that will be adding content are only assigned appropriate access levels for their role, such as Author or Editor. We employ strict user management on all of our clients’ sites.

Any third parties or developers only have access to development sites, with updates tested and rolled out in a staged approach prior to going live.

Client Communications

Piksoul recommends the use of secure applications such as Slack for client communication to keep sensitive information and correspondence away from emails to avoid man-in-the-middle attacks.

Strong Passwords

No matter how good your security measures are, the most common way a website can be hacked is through use of insecure passwords. Through the use of automated scripts, hackers can attempt thousands of combinations until they get in. For this reason, we use password generators for all accounts and keep this information stored in a secure cloud.

The value of using a password generator is that they create complex, hard-to-guess passwords. Piksoul works with clients to develop policies for enforcing the use of strong passwords and regularly updating them.

This is the most effective way our clients can participate in maintaining the most secure environment for their website, in summary:

  • Enforcing strong passwords
  • Enforcing password updates periodically
  • Multi factor authentication for high-risk sites

Continuous Research and Improvement

Security is not a simple thing, so our team at Piksoul undertake regular research to make sure we are providing our clients with the best solutions with an optimum mix of functionality and security. We take all security processes seriously with a pro-active approach, staying on top of the latest security protocols and research.

We welcome your feedback and insights if there’s anything you have a particular concern about would like to discuss further.

Last updated 2016-12-14