If you are the average website designer or developer, the word ‘security’ gives you an unshaken feeling. I know it has for me, that is until recently. I am by no means a security expert or novice. However, I want to do the very best I can for my clients and myself. I am willing to learn a little if it means I will achieve better security.
Security Technologies Can Be Baffling
But where do you start? The number of resources and initialisms in the world of IT and IS security is baffling. Here are just a few to scare you: DNS, DNSSEC, CAA, SMTP, STARTTLS, SPF, DMARC, DANE, HTTP, Cookies, SRI, TLS, PKI, CSP, HSTS, HPKP. It’s true we web designers and web developers may actually know what some of these mean and how to set them up. And if you know them all, good for you. We should all be like you. But when I look at these initialisms and try to be honest, I can’t say that I know EVERY one of them, or how to be 100% confident that what I know about setting them up is secure.
What You Need Is An Easier Way
How can we get all of this under more control? Well, no one can promise a perfect solution, but I have been very pleased with the combination of technologies I currently use to protect my WordPress based websites. I have been told that it is very important to have layers of security. So my security stack includes firewalls, antivirus, SSL, hardening and email protection. Read on to see how my stack could help you.
A WordPress Security Stack You Can Handle
1) Get Viruses and Malware Quarantined
It is important that you are regularly scanning the files on your website with an Antivirus software. On my websites, I use the free version of Wordfence. Not only does Wordfence provide basic antivirus protection but the free version includes a firewall, brute force attack protection, manual IP blocking, live traffic monitoring and other security tools.
Not adjusting the settings is not enough.
Don’t just go ahead and accept the default configuration, or worse yet, don’t just activate and forget it. Getting the settings right can really protect your website. On one website that I was having problems with, I learned just how important it is to look the settings over. With a small adjustment to the login policy I single-handedly saved the day. The website was operating at a snails pace and the client was getting angry, because it looked like we had no idea how to fix the issue. It looked like we were bad web designers. Here, the website was being attacked by hackers who were trying to gain access. By changing the login policy, to block their IPs after too many wrong password attempts, the website immediately starting working perfectly.
In addition to Wordfence, I install Jetpack and enable its “Protect” module. This is just an extra layer of protection against attackers and it does not cost a thing.
2) Keep an Audit Log
Does something look wrong on your website? Which person messed it up and when? As you can see, having a log of what’s going on can help you figure out what happened and why. I like to use the WP Security Audit Log plugin to keep track of all the nitty gritty details. Why the log does not fix or prevent problems, it will help you do both.
3) Send Your Outgoing Mail Through a Secure API Instead of SMTP
For years websites have been plagued with email sending issues. It always boils down to using SMTP to send email. Web hosts are tired of getting black-listed and have been shutting down insecure ports. Why not avoid all the crap and headaches? That’s why I setup an account with Mailgun. I use the company’s official plugin and send email over the HTTP API. Not only do I have great deliverability on my email and a log of each message, but I can keep those SMTP ports blocked and not send authentication details like passwords over the Internet, just waiting for an attack.
The Rest Of The Security Stack
Are you ready to know the rest of my security stack? Well you will have to wait. I will soon write part two of this article and I expect you to stop back and read it. Until then, you have your homework. Make sure to get your antivirus installed AND CONFIGURED, setup an audit log and then switch your email sending protocols over a secure API.
I look forward to having you back for the next article in this series.