CMSs Like WordPress Require Constant Attention to Security
CMS-based systems are simply not build-and-forget-about-it platforms, but rather require regular attention, especially from a security perspective.
I can’t tell you how many times I have had clients and potential clients state that they do not need a regular maintenance plan. The justification is that they can update all content themselves and that is why they paid for a content management system (CMS).
A properly set up CMS can indeed allow an administrator to maintain the content of a website without the need to hire a developer. However, this ease of use is made possible by relatively complex systems. And though your site might not be a direct target, these systems are constantly under attack and your site is always under threat.
Security is Only as Good As the Last Known Threat
Security is only as good as what we know to protect against and as new ‘holes’ and exploits are found CMS software must be patched.
The Two Easiest Things to Do For Website Security
1. Keep your CMS updated
Systems like WordPress make updates incredibly easy. In fact, a lot of the time it can be as easy as clicking a button within the site administration area. Before any update is applied:
- Make sure you have a current backup of the site.
- Do your research to ensure that the update won’t affect the function of any other portion of your site.
- Ensure that your server meets the requirements of the software change.
You should have a developer help with updates in case any incompatibilities are found before or after the update.
It is also advisable to keep your system up to date regularly. Waiting and applying multiple updates and patches at once greatly increases the risk that incompatibilities will be found and a much higher level of effort will have to be given to bring the system up to date.
2. Get a Web Application Firewall (WAF)
When this post was originally written, firewall services were almost nonexistent and you often had to pay thousands of dollars a year for an actual hardware-based firewall to sit in front of a web server. Today many services offer a real-time firewall for as low as $20/month. The services I like and have experience working with are:
All Websites We Host Utilize a Firewall (no exceptions)
FatLab will not take responsibility for a site without one of these services protecting it, the risk is simply too great! All of our hosting clients utilize a real-time firewall. I also like these services because they are not software-based (like a WordPress plugin). Software-based firewalls often block malicious requests after they have already hit the server. Even if the threat is protected against, this can still lead to DDoS attacks by overwhelming the server.
Website security has gotten easier since I originally wrote this post but no less important, in fact, just the opposite.