Staying up to date with security best practices on WordPress

I attended a Cloudways security bootcamp in March, and it presented a good opportunity to listen to other professionals’ experiences and reflect on our own security practices at Storyware.

When I first started making websites, I didn’t think much about security, naturally. I was too busy learning programming for the first time and discovering how to center divs.

But as I’ve gained more experience in website maintenance and as hackers have become more sophisticated every year, it’s a reality that’s impossible to ignore.

The growing threats

Here were some takeaways from the bootcamp on the growing threat of cyber attacks:

• 72% of WordPress users experienced at least one security breach last year, according to a talk by Joel Barbara (Melapress).
• Kathy Zant (Zantastic LLC) pointed out that 60% of small companies go out of business within 6 months of a major attack.
• Brute force WordPress login attempts increased year over year by 120%, according to Gary Fisher of Limit Login Attempts, a popular WordPress plugin.

These statistics track with our own experience. Specifically, toward the end of 2023, we began to notice an increase in denial-of-service (DoS) attacks, in which bots are used to flood traffic to a website in order to crash the server.

These reasons are why last year we upgraded our security measures in our web offerings by integrating Sucuri’s monitoring, firewall, and off-site backup services. In addition, our preferred hosting provider Cloudways began automatically protecting all their servers with an industry-leading security suite called Imunify360.

But web security goes beyond simply placing a site behind a firewall. Here are some other takeaways from the bootcamp for day-to-day maintenance and operations.

1. Use a password manager, such as 1Password or LastPass

Every security-related decision represents a trade-off of some sort, and some people balk at the idea of storing all of their passwords in one place.

But several presenters at the bootcamp opted in favor of them, because we humans just aren’t great at thinking up safe passwords to use. At Storyware, we love 1Password. A password manager allows you to auto-generate highly random and therefore secure passwords.

They are simple to use but can greatly increase the security of web applications like WordPress sites with admin users. As Alezk Savkovic (WPPlaybook) said in his talk, most hacks are not very sophisticated, but are rather straightforward tactics that take advantage of “poor cyberhygiene,” such as weak passwords.

2. Limit login attempts

WordPress sites are particularly prone to brute force attacks, where a robot attempts thousands of logins until they guess the correct password.

This is another straightforward hack with a straightforward solution — limit a session user’s login attempts. This comes with the Sucuri package built in to our web offerings.

3. Implement two-factor authentication

Two-factor authentication (2FA) was touted often at the bootcamp, and there are plugins that make this fairly simple in WordPress. Personally, I would avoid 2FA over text/SMS, as it is prone to SIM swaping, but I believe most WordPress solutions work by way of authenticator apps, where you receive a code on a separate device that you must enter before logging in.

I have mixed feelings about 2FA, as do most people probably. The security benefits are undeniable if done correctly, but I wish I had a dime for every time someone lost access to things because of 2FA instances tied to old devices. Using 2FA with a password manager like 1Password helps solve this problem.

4. Have a website triage protocol

If you are maintaining one or more medium- to large-sized sites, you will be attacked at some point, and when that happens, it’s important to have a plan. Who is responsible for taking immediate action and what options are at their disposal?

This is part of “threat modeling” and we have our own version of it that we’ve iteratively improved over the years.

We are big believers in internal documentation, and we have a protocol in place that, at a high level, includes the following:

• Our sites are monitored continuously by two separate web monitoring services — Uptime Robot and Sucuri — that ping the website every few minutes to check for uptime.
• When a site goes down, we have clear steps in place for checking server CPU usage and traffic from potential spam IP addresses. Cloudways’s server health monitoring features help greatly for this. Oftentimes, blocking new, offending IPs that have not yet made their way to popular firewall blocklists solves the issue.
• We also have steps in place to be able to enter into emergency mode with our Sucuri firewall to limit traffic more aggeessively for a temporary period.
• We can easily revert plugin updates and other code changes at a moment’s notice, due to our zero-downtime, version-controlled build system powered by Envoyer.

Even though we have actively stayed on top of security, there is always room for improvement. Web security is not something that “ends” once you check everything off of a list. Every decision requires discernment and includes tradeoffs, so it’s always good to see what other people are doing and take time to reevaluate your processes. I hope this general overview can help others begin to consider the next step for securing their own web properties.