Our recipe for WordPress security
WordPress is a powerful and secure content management system (CMS) when used correctly. The quality and security of a WordPress-based website relies on the knowledge and approach of the developers. Castlegate IT are expert developers in WordPress and understand how to use it to build professional, robust and secure content-managed websites.
There are many things we take into consideration when securing WordPress, and these considerations evolve as WordPress, and WordPress exploits, evolve too.
Bespoke themes & plugins
Our approach with WordPress security starts at the very beginning of development. There are countless themes and plugins available for WordPress, many of them carrying hidden vulnerabilities and completely unmaintained. These are perfect targets for attackers.
When vulnerabilities are discovered in popular themes or plugins attackers will exploit them, because the large number of websites using them increases their chances of success. By building completely bespoke websites, we’ve already protected our clients against the most common attacks.
Bespoke themes
Many off-the-shelf themes come with a wide array of customisation options and integrations with third-party plugins. All of these extra features and added complexities are rarely required and have potential security implications.
We develop bespoke themes from handcrafted HTML, CSS and JavaScript, tailored to the exact requirements of your website, with nothing else added. This simple and minimal approach means every feature is carefully tested and secured.
Bespoke plugins
With the exception of one or two carefully audited plugins, every piece of functionality in our WordPress websites is provided by our own bespoke WordPress plugins. We don’t install obsolete, poorly coded, insecure or unmaintained plugin functionality from third party developers.
WordPress updates
Keeping WordPress up to date is the top priority for keeping a website secure. Once a vulnerability in WordPress is discovered it does not take long for attackers to begin to exploit it.
We offer two maintenance services to our clients to keep their WordPress updated, from yearly audits to daily notifications of updates. Each new release is analysed to determine any risk to our clients using earlier versions.
Security certificates
We recommend all our clients install an SSL security certificate on their website. A security certificate encrypts data sent between your computer and the website; this means your login credentials are sent as securely as possible.
Security certificates are no longer something you expect to see only on online banking or ecommerce websites, SSL certificates should be used when any sensitive information is captured by a website – which includes the password you use to edit it. A secure connection also has benefits for your search engine rankings!
Unused features
WordPress comes with many features, many of which our clients do not require. Many of these features can be utilised by an attacker to gain more access to your website. We disable any potentially dangerous features if they are not in use.
Security plugin
We don’t like to rely upon third party plugins to secure our websites. Doing so puts your website in the hands of some unknown developer. Freely available security plugins include a vast array of options designed to protect users from issues that may not be relevant to our websites. This comes at a performance cost.
Since our websites are bespoke, they also require bespoke security. Our own security tool is now installed on every website we build, and we are continually updating it against the latest threats.
Security procedures
We’ve put in place a continually evolving set of standards that all our WordPress websites follow. We carefully follow these guidelines for each project. These guidelines are built upon the common best practices for WordPress security, with our own additions and enhancements.
Related reading
Please contact us about out WordPress security services to ensure you’re getting the best level of protection for your business. If you’d like to know more about the methods and motivations behind website attacks, we’ve written a simple article entitled why websites get hacked.
For those who’d like to know the technical details behind our security efforts, we are more than happy to talk you through our internal procedures and audits. We’ve also written a technical article on securing WordPress which details many of techniques we employ.