Contact Us

Blog

WordPress Websites: Are They Secure?

At Bop Design, we create custom B2B websites that use the WordPress CMS. Why? In our experience, we’ve found WordPress’s CMS to be the most intuitive and easiest for non-web developers to update. This means our clients can make updates and changes to their websites without having to go to their IT department every time they need to make a minor edit.

One of the most common questions we hear from potential clients (and their IT departments) is Are WordPress Websites Secure?

The short answer is yes, WordPress is secure for websites.

Open Source vs. Closed Source (Proprietary) CMS

WordPress is open source, meaning that developers can view the source code, create plugins, and make modifications easily. Due to the fact that WordPress is open source, it has a very large developer community. The large community ensures that bugs are quickly identified and fixed and plugins are available for a variety of needs. Also, regular security patches are released and many are automatically updated.

Conversely, with a proprietary (or closed source) CMS, you are at the mercy of the developer or the small community of developers, who may or may not have the bandwidth to make updates regularly.

However, with any B2B website, there are additional questions you should be asking that will impact the security of the website.

Hosting

Your website host can have a major impact on the overall security of the website. We always suggest that our clients use a hosting firm that specializes in WordPress to ensure optimal speed and security of the website. Below are several questions to ask a potential hosting company to find out if they offer the level of security your firm needs.

Does the hosting company…

  • Offer malware scanning?
  • Specialize in WordPress?
  • Offer robust backup/restore tools?
  • Provide additional security tools, such as limited login attempts?

A good hosting provider will be able to answer all of these questions and have strategies in place for maintaining and enhancing the security of your B2B website.

Organizational policies

Cyber threats are a fact of living in a digital age. While hackers are always refining their processes, there are several things your company can do at an organization level to ensure extra security for your website.

Password Policy: Enforce a strong password policy on all information systems, including WordPress. This means you create an internal policy regarding ALL passwords. Requiring passwords to be a certain length and include numbers, symbols, and capitalized letters will reduce the likelihood that hackers can try to autofill commonly used passwords or will be able to guess the passwords of your internal staff.

It is also important that your staff use unique passwords – ones that they do not use for any other website. Some of the most common hacks involve usernames and passwords stolen from other websites. For example, if you use the same email and password for QuickBooks.com, Amazon.com, Target.com, and WordPress, and any one of those sites is hacked, suddenly your entire online identity is vulnerable.

Two-Factor Authentication: Consider implementing two-factor authentication on your WordPress CMS. This requires two points of authentication, which makes it infinitely harder to break or crack. Check out Clef for an example of two-factor authentication: https://wordpress.org/plugins/wpclef/.

Manage User Accounts: Terminate user accounts when employees or contractors separate from the organization. Whether an employee or contractor leaves suddenly, is fired, or has a scheduled departure date, it’s critical to have a process in place to terminate their account access. Don’t rely on the fact that an employee was a good person.

Limit Access: Not everyone in your company needs access to your website. You don’t need to restrict access to the IT department only, but be thoughtful about who is given access. Only give access to users who absolutely need it to make updates to the website. This is also a good practice to control what types of updates are made to the website.

Make Updates: Just like any other application, WordPress and all the website plugins require regular updates to solve bugs and enhance features. Either create a schedule to make regular updates (on a monthly basis) or have a plan in place to implement updates as they arise.

Use SSL: Use SSL for the site and administration areas. Secure Sockets Layer (SSL) ensures an encrypted link between a web server and a browser. This makes sure that all the data moving between the web server and the browser is secure. When SSL is used, web addresses change from http:// to https://. All professional websites, especially any that handle sensitive information like billing or medical information, should use SSL. The other benefit for using SSL is that it’s good for SEO. It’s no secret that Google is treating SSL and non-SSL sites differently. Due to the fact that Google is interested in website security, you can bet that SSL will be an SEO-ranking factor in the very near future.

WordPress Is Secure (And You Can Make It More Secure)

WordPress is a secure CMS, but there are additional steps your company should be taking to enhance the security of your B2B website. Follow the steps listed above and read How to Securely Host Your Website, Email, and DNS to ensure you take all security measures possible.

Considering a WordPress website for your firm? Contact us today to get your questions answered.