WordPress security – Tools and third-party services

(This is part 1 of a series on WordPress security)

Online security is has been gaining alot of attention in the media recently, and with good reason. With much of our lives now taking place online, security is something that effects all of us.

The recent ‘Sony Hack’ and the iCloud photo hack were just 2 of the many security issues in 2014.

WordPress specifically was effected with the SoakSoak malware effecting over 100,000 sites.

With security on the top of everyone’s mind, I thought it was a good idea to list some resources for securing, hardening and locking down your WordPress installation. This guide aims to expand on some of the concepts in the “Hardening WordPress” post on WordPress.org (http://codex.wordpress.org/Hardening_WordPress) – read this first.

After all, WordPress security is worth the investment if you’ve spent the time (and money) curating and writing a blog.

Keeping things up to date

This is an obvious one, but as the Hardening WordPress guide states, “you should always keep up to date with the latest version of WordPress”. I would go even further, and say that you should always keep up to date with the latest versions of plugins and themes. The WordPress auto-updater is coming along but only works with minor point releases and doesn’t update plugins OR themes. Keep those themes and plugins up to date!

Third-party services

The next simple thing you can do to keep your WordPress site secure is sign up for some security and monitoring services. Not all of these services are free, but if you or your client’s website is a source of revenue, the small fees are well worth the investment.

I’m a big fan of Sucuri and their Malware removal tool (referral link) and it offers a great peace of mind knowing that they’re monitoring my sites and are available for quick malware cleanup’s if needed. They send out notification emails each week letting you know of the status of your site(s). Awesome.

They also have a Web Application Firewall (WAF) that’s similar to CloudFlare. I haven’t used it but it seems cool.

Secondly, VaultPress is an excellent service for backups and security monitoring. I recommend the ‘Security Bundle’ for all the clients I work with, and for $29/month, quick backup restores and monitoring are taken care of. Heck, even the $5/month plan is a great deal for their service that backs up your site code, files and database to the cloud.

CloudFlare is a free DNS and CDN service to protect your site from spammers and provide some base level of speed increase. It’s an additional layer in front of your site that will intercept some illegitimate traffic and bots.

You can configure how much or how little CloudFlare caches, and what level of DDOS and security protection you get. There are other options for restricting spam users and IP’s from the CloudFlare control panel.

It’s worked pretty well for me, the only drawback is that is requires pointing your DNS at CloudFlare’s servers. This could be a deal breaker if you don’t control you’re DNS (or don’t know who to ask). There’s also the whole privacy issue with funnelling your traffic through CloudFlare’s infrastructure.

Website monitoring services, like New Relic, AppDynamics or even Pingdom, are also worth mentioning.  Though not specifically related to security, they are great for knowing when your site goes down and what caused it (like a spike in spam traffic).

There are a whole host of other security related services and tools out there, which ones do you use?

Next post – Security plugins!