We are launching new websites all the time and we are always looking for a robust CMS.
WordPress is the obvious choice, do you have grave concerns about the security of your site, since your company has a ton of visibility and could become a target for attack.
It’s interesting when a good friend asks you a question like this because it makes you reevaluate your opinions and assumptions and make darn sure you’re providing advice that will set up this person that you care about for success.
I think it would be most helpful to distill my thinking on whether or not WordPress is secure into a FAQ format regarding the subject.
Is WordPress Secure?
The short answer is yes, but it does require a modest amount of work and education on the part of the site owner.
Keeping Core Up to Date
For WordPress to be secure, you must keep the core application up to date. The good news is that WordPress actually does much of this job automatically.
If you have the default configuration, then when the core team releases a minor version of WordPress, it will upgrade to that new minor version automatically.
Security fixes are released as minor versions.
So when a security fix is released, unless you’ve specifically configured your site to not update automatically, your site will update to the newest security fix and you will be protected from an emerging vulnerability.
To be clear, WordPress versions come with three numbers separated by dots. The current version is 4.9.4. The number to the far right is the minor version. So when that changes, your site will be automatically updated. When 4.9.5 is released, your site will automatically update. When 5.0.0 is released, it will not.
Keeping Plugins and Themes Up to Date
You will also need to keep your plugins up to date. This does not happen automatically, except in rare cases where the plugin author provides that functionality. Wordfence security plugin updates automatically when we release a new version. Most plugins don’t. But again, we have some great news. In cases where there is a severe plugin vulnerability, the WordPress security team have the ability to force plugin security updates, and have done so in the past. They have never automatically updated a theme, but they have the ability to do that, too.
In general, though, minor vulnerabilities that a plugin author fixes are not updated on your site automatically. That is why keeping your plugins up to date is one of the most important things you need to do to keep your site secure.
Protecting Yourself During the Window of Vulnerability With a Firewall
When a vulnerability does occur in a plugin or theme, there is a lag time between the vulnerability discovery and when a fix is released. We refer to this as the “window of vulnerability”. To protect yourself during this time, you need a firewall that is being actively maintained by a security team and that includes real-time updates.
The Premium version of Wordfence does exactly that. Our team works proactively to discover new attacks and to release firewall rules as soon as a new vulnerability is discovered. This protects our customers during the window of vulnerability, while the vendor works to release a fixed version of their software.
What do we do to protect your site on our Hosting servers?
We have a WordPress security & protection policy for your website.
Apart from the Server Security And Firewall:
Cpnginx Firewall Protects Your Website From Attacks.
- DDOS Layer 7 Protection
- Nginx DDOS protection. Protect servers from L7 DDOS attacks.
- Slowloris Dos Protection
- Control Slowloris DDOS attacks and protection from malicious attacks.
- Protect Range Based Attack.
- Protect your website attack against CVE-2015-1635.
- User Agent Attacks.
- Block attacks from bad user agents and bots.
- Scanner Attacks
- Protect from bad scanners to avoid security leakage.
- X-XSS Protection.
- Protect from Cross Site scripting attacks.
- X-Frame Protection.
- Protect your websites from Clickjacking x-Frame attacks.
- Protect from SQL Injections
- Limit and control SQL injection attacks.
- Referer Spam Protection.
- Protect your sites from referrer spam attacks.
- Symlink attack protection.
- Disable Symlink access from your webserver’s document roots.
Google Page Speed
Nginx with Google Page speed is the ultimate solution for website cached and cdn services. cPnginx by default provide a CDN subdomain for every google page speed domains.
Proxy Cache For Web Sites
Cpnginx provides flexible configuration and optimization tools for nginx proxy cache configurations. This cache can be managed for each and every subdomains and domains.
FCGI Cache for PHP-FPM
Cpnginx provides nginx php cache via php-fpm fcgi cache mechanism. This will run the site with out of the box performance. Every cpanel users can control it from the cpanel.
Sunshine Coast Web Design in conjunction with our Hosting company 360ClouNet provides our clients with the utmost and best protection for their sites.
Speak to Dave