Nati, Founder and CEO
December 22, 2020
Security is top of the list of concerns for website owners. You want to protect your company’s business data, and you need to comply with data and privacy regulations to make sure that your customers’ details aren’t breached.
This makes secure WordPress hosting a crucial issue, but there are also other steps you need to take to protect your website. We’ve already discussed the vital foundations that you need to lay to set up a secure website, but it doesn’t end there.
Building a secure WordPress hosting or self-managed site is the first and critical step in keeping your website protected from hackers and malicious actors, but maintenance is crucial too. This section discusses tips to help you to keep your WordPress site secure over the long term.
* This guide is aimed at WordPress websites hosted on a Linux server, but maybe relevant for secure WordPress hosting on Windows servers as well.
Both your core WordPress and your plugins and themes need to be kept up to date if you want secure WordPress hosting and a safe website.
WordPress developers regularly upgrade the system to improve it in different ways. They add new features, improve its stability and performance, and enhance existing feature performance in order to stay up to date with today’s standards.
Most importantly, updates also fix bugs that were found since the previous release, as well as adding proactive security fixes and improvements.
WordPress is an open-source system that is widely available online, so every security issue in older releases are well known across the internet and are easy prey for hackers who target old and out-dated software. For example, security experts Sucuri recently wrote about a security breach called XSS that was fixed by WordPress version 5.1.1. If your WordPress version is out of date, its security flaws are well known and are easier for attackers than to try and find new flaws and exploits in newer WordPress versions.
That’s why it’s so important to regularly update your site to the latest version of WordPress.
By default, WordPress automatically installs minor updates, but for major releases you must enable the Automatic Updates feature in the Systems Update menu.
Irina Strelnikova / Shutterstock
Additionally, you should never perform any changes to WordPress’ core files for your secure WordPress hosting site. Because updating WordPress usually deletes your changes, it makes you less likely to want to carry out updates, and that will directly impact your website security and lead to potential security breaches and other issues in the future.
uPress Customers: The main dashboard shows 2 toggles for automatic updates under the WordPress tab, one for the core WordPress releases and another for plugin updates. Toggle them both to “On.”
Another way to ensure secure WordPress hosting for your site is to closely monitor crucial activities that happen in the management area, both in real-time and past activity. That’s not something you can handle manually, so you’ll need a logging plugin that’ll run in the background and document every action.
When you utilize these plugins as part of your secure WordPress hosting, you’ll always be able to see which users logged on to your website, what they edited, which changes were made, what plugins were added/removed, which media files were uploaded, which configuration changes were made, and more. It helps you correct mistakes that could leave your secure WordPress hosting site vulnerable to attack, and spot suspicious behavior that could be a sign of malicious action.
To do all this, you can use the plugin ARYO Activity Log, which is available for download from the official WordPress plugin repository.
A good, trustworthy backup system is the first tool in your secure WordPress hosting arsenal against WordPress security exploits. Remember, no website is 100% secured at all times, so you need a way to fix everything if the worst should happen and your site gets hacked.
Bear in mind that government and international corporate websites are hacked into on a daily basis, so your smaller website is vulnerable too. Having an accessible backup allows you to quickly recover from a breach in your secure WordPress hosting by restoring your data from a version that is known to be secure and safe.
You can and should backup your WordPress websites in a few different places:
Use the 3-2-1 rule: Keep at least 3 copies of the data, at least on 2 locations, and at least 1 copy off-site
In August 2011, it was revealed that the popular script TimThumb was vulnerable to malicious exploits. TimThumb was and still is included in many popular WordPress plugins and themes. Within days we saw attackers using this vulnerability to their advantage, ranging from spamming WordPress sites with promotional material for other websites (SEO hijacking) to modifying PHP files that are stored on the server with random, meaningless characters at best, or even injecting other malicious code and exploits.
Most website owners didn’t realize that the script (and the malware) was running on their server and compromising their secure WordPress hosting. Some of them deactivated the problematic plugin or theme, but did not completely remove them. Deactivating the plugin or theme was meaningless and didn’t help at all, since the vulnerability remains as long as the problematic code exists on the server.
The Golden Rule for plugins and themes is if you’re not using a plugin or theme – delete it!
Most hackers tend to send “spies” to check on a website before they start an attack. These are what we call “Bad Bots.”
Bad Bots affect your website’s performance, steal your content, occupy your valuable bandwidth, badly sabotage your website statistics, and most importantly, they look for security vulnerabilities in your secure WordPress hosting.
You can find a long list of bots that have been marked as “bad” at botreports.com. If you’re using a security plugin or secure WordPress hosting service, you’re probably already blocking the bots on this list.
uPress customers: There’s a “block bad bots” toggle under the security tab in our management panel.
Your hosting service plays the most important part in securing your WordPress website, so it’s vital to find a secure WordPress hosting service.
A secure WordPress hosting company should:
As you can see, setting up a secure WordPress site using secure WordPress hosting is important, but it’s not enough to protect your website forever. Using a secure WordPress hosting service that meets certain requirements for a secure server goes a long way to helping you maintain your secure site, but you also need to take responsibility for keeping your WordPress version up to date and backed up, monitoring website activity, removing disused plugins and themes and blocking and preventing bad bots.
I hope you found this guide useful. Do you have anything to add or your own advice for securing a WordPress website? We’ll be happy to hear from you.