GDPR and WordPress Security – How to Secure Your Site

Data is everywhere. Your data. My data. Your customers’ data. GDPR is here to standardise how data is stored and processed. And securing that data is your responsibility. If your site is compromised, what GDPR refers to as a “breach” then you can be fined. And with studies showing that around 70% of WordPress sites have vulnerabilities, it’s time to get serious about the data you hold and your website security with WordPress management.

In this article, we look at the ten key factors in WordPress security. Any questions drop a comment below or get in touch for a Free WordPress Security Audit.

A GDPR Warning Shot from ICO

Whilst the focus seems to be on opting in email marketing data, there seems to be little focus on securing customer data to avoid what the GDPR terms as a breach.

And it certainly seems that the Information Commissioners Office (ICO) is serious about security as this week they have fined a university £120,000 for a breach.

This was on a small microsite, built by a student, without the university’s knowledge. And the fine comes in a week before GDPR comes into effect with far heavier fines promised.

Too busy to read the whole article? Get in touch for a free WordPress security audit that details exactly what you need to do to get your security where it needs to be for GDPR compliance.

First – Some Scary Statistics

WordPress powers around 25% to 40% of the Internet. And I would suggest that those figures are far higher when we are looking at small business websites. The security firm Cyber Scanner monitors around 135,000 UK websites and currently reports WordPress sites with active vulnerabilities running as high as 70%.

The same study determined that the most common ways in which sites get hacked are:

• 40% – Hosting vulnerabilities
• 30% – Themes
• 20% – Plugins
• 10% – Weak passwords

The takeaway here is that if you run a small business website on the WordPress platform, there is up to a 70% chance that you are vulnerable. And whilst the typical approach here is to contact your web designer, the fact is that most small business website design companies are just that up on security and under GDPR it is your responsibility!

Securing WordPress

Security has many layers. The following details the key considerations for securing your WordPress website and the data held within to ensure you demonstrate compliance.

1. Domain Name

Your domain name will be with a registrar. This is the entry point to your site. And if someone can gain access to your domain they can start to look at ways to access your site. To avoid this, ensure your login to your domain registrar is secure.

Action Points:

• Update your password
• Limit users with access to the login details
• Use a registrar with 2-step authentication

2. DNS

Your DNS may be with your registrar or it may be on a third-party platform like CloudFlare. Securing your DNS is an important component of ensuring your website is secure.

Action Points:

• Update your password
• Limit users with access to the login details
• Use a DNS provider with 2-step authentication

3. Hosting

The next access point is your hosting. There are several ways in which hosting can be compromised and the key here is using a high-end and reliable host. A good host will have proactive security and will help you identify if there is a breach (which is key to GDPR).

We have seen many instances of sites being compromised when another site on the server has been hacked – this is common on cheap hosting and when a developer has a dedicated server and does not really know how to admin for security.

Hosting is the #1 reason why sites get hacked so don’t scrimp here. Good hosting will also help improve site speed, conversion rate, and SEO so will help drive more traffic and increase conversions. At Bowler Hat, we have a server in the WP Engine data centre that provides a range of additional security features for WordPress.

Areas to secure here include:

• Control panel
• FTP / SFTP
• Database access

Action Points:

• Update your passwords across all access points
• Limit users with access to the login details
• Disable services which are not needed (DB access, FTP, etc)
• Use 2-step authentication for control panel access
• Audit your hosting to ensure security best practices
• Audit your hosting to identify any security issues related to configuration (like directory indexing)

4. CMS Access

All the security in the world won’t help if your user accounts are insecure. Ensuring your user accounts are secured is a key component of website security. Having the admin user with a password of “pa55word” or your favourite football team is not good security!

Action Points:

• Remove any user accounts that are not needed
• Limit the access level of all accounts
• Enforce strong passwords (use a plugin)
• Consider moving the login script
• Rename the “admin” user
• Implement 2-step authentication for admin users

5. Updates

What do WordPress, WordPress plugins, and WordPress themes all have in common? They all need to be updated to keep them secure.

A failure to update WordPress themes and plugins represents the biggest risk to your security. Keeping your site up to date keeps your site secure. This is simple stuff but a lack of updating themes and plugins results in the largest single risk to your security.

Action Points:

• Update WordPress
• Update themes
• Update plugins
• Install monitoring software to alert when plugins need updating

6. Proactive Security Monitoring

Your default security process is likely inadequate. And it is all too easy to just forget to run updates or ignore that plugin that breaks your site when you update it. So, you need a system that alerts you of potential security issues with the site.

The exact approach here varies but the following are some of our favourites:

• WordFence – Powerful plugin that monitors & reports on your site’s security
• Sucuri Scanner – Free plugin from Securi that monitors the security of your site
• Premium Hosting – Hosting services like WP Engine include a managed security environment

No matter which service you go with there is a degree of maintenance required here. You need to keep your WordPress plugins and themes up to date whilst following the security best practices outlined here.

Action Points:

• Install a security monitoring plugin (like Sucuri Scanner)
• Move your hosting to a WordPress specialist with managed security OR install and configure a premium security plugin like WordFence
• Scan your site with the following tool: https://wpscans.com/

7. SSL / HTTPS

By now I would hope that most of you have already moved to HTTPS. If not, then you should. There is a small SEO boost to be had here, but more importantly, your site is more secure as all traffic to and from the site is now encrypted. Without SSL, any forms that a user fills out are inherently insecure and everything from customer enquiries to login details could be intercepted.

Action Points:

• Move to HTTPS
• Implement a 301 redirect from HTTP to HTTPS
• Ensure all internal navigation and sitemaps are updated to HTTPS

8. Attack Surface

WordPress is a mature, robust piece of software. Unfortunately, the same cannot be said for all themes and plugins. And with sites typically using 30+ plugins, this introduces security problems – and also slows your site down through additional HTTP requests and database queries. We have seen sites with over 600 plugins – this is not best practice and is asking for trouble.

The simple fact here is that every plugin or theme installed on your site creates more potential for vulnerabilities. More attack surface. Limit the number of plugins you use and remove any themes that are not in use and you reduce the ways in which nefarious types can exploit your site. And you reduce the workload to keep your site up to date. Win-win.

Themes, in particular, get forgotten about. Plugins tend to get updated. But if you have several themes installed then remove any not in use and keep your active theme up to date (tip: wpscans.com will identify potential issues with your theme).

Action Points:

• Audit plugins & themes
• Remove any plugins that are not in use
• Only use high-quality plugins that are actively maintained by the developer
• Only use plugins you actually need
• Remove any themes that are not in use
• Only use high-quality supported themes
• Keep everything up to date
• Monitor security lists for problems with plugins *
• Regularly scan your site for security issues

* It is not unusual for plugins to be sold and the new owner injects nefarious code into the plugin – ensure all plugins are still supported and are not on any blacklists.

9. Back-Ups & Disaster Recovery

A fundamental component of keeping WordPress secure is to run updates. Yet, running updates can cause problems. This can range from basic glitches to issues that prevent your site from loading. So, a backup and disaster recovery process is essential to keep your site secure but also available. In an ideal world we like to see a staging site for testing updates and when we are happy that updates can be installed without issue then we can make the changes on the live site.

Additionally, if your site is compromised you will want the ability to roll back to prior to the issue and then batten down the hatches.

Action Points:

• Daily off-site backup
• Simple restore process
• Implement a staging site for testing
• Test your restore process so that it works when you need it

Note: Be careful of systems that simply zip up your site and database and store these zip files on your site. Should one of these zip files fall into the wrong hands then you are handing over a copy of your database and WordPress configuration files – this could make a breach as simple as downloading a zip file in a web browser. A secure, GDPR compliant, cloud-based backup and restore system is what you need here.

10. Website Firewall

Keeping your site 100% secure 100% of the time is not easy. In the day-to-day of running your business, updating that pesky plugin is not always the top of your list. This is where a firewall comes into play, providing proactive security and blocking problematic requests.

There are several firewall solutions including those provided by managed hosting services such as WP Engine to the services provided by Sucuri or through plugins like WordFence.

The right approach is the one that is right for your current situation.

Action Points:

• Implement a website firewall for proactive security

Summary

Securing your website and customer data stored and processed by your site is a crucial element of GDPR compliance. In many cases, your website is the one platform where you are solely responsible for the storage and handling of customer data.

And whilst this can all seem like a chore, the process to secure your site comes with many other benefits: security, improved site speed, improved SEO, improved conversion rates, and, most importantly, happy customers, that trust your business to look after and process their data.

Security is complicated. Lots of moving parts. But securing your website is no longer optional. Ensure you review the data you hold and process on your website for GDPR compliance and actively monitor and implement security best practices.

To find out how Bowler Hat can help manage your security whilst boosting SEO, site speed, and conversion rates – get in touch.