Having a professional WordPress website created
Written by Finn Ruijter, 16 April 2021

Our security measures for every WordPress website

Website security has been a hot topic for years. Today, data breaches and privacy violations are still prevalent in all kinds of companies and organizations. It is critical for your business, customers and the integrity of the brand to protect the website from attackers. We do a lot behind the scenes in terms of privacy and security to best protect your website.

Why we take security seriously

Almost every website collects data and data from visitors. This is of interest to hackers because they can use this information to commit fraud or resell data, for example. With the shift from offline to online, it is important for everyone to secure websites properly. A DDoS attack can happen to anyone. A data breach can have major, negative consequences for both businesses and users. For that reason, we take WordPress website security very seriously. But how do we address that? The right hosting is a good start.

Why our hosting is good

Professional hosting is essential for a functioning website. This ensures that a website does not experience failures quickly and is well secured. In addition, it is important to use stable plug-ins that always work. Not all plugins are suitable: publicly available plugins are not always the most secure modules. We install and manage the right plug-ins and perform maintenance for a stable WordPress website with the best hosting.

2manydots works with professional WordPress hosts. These are optimized for high-traffic websites or sudden visitor spikes. Minor WordPress updates they perform automatically, backups are made daily, and DDoS attacks are nipped in the bud. Everything revolves around a good performance. Couple that with great scalability and your site stands like a house.

We can help you quickly and effectively with a WordPress website, through stable hosting and professional plugins, without using all kinds of weird add-ons. For example, we partner with WordPress host WP Engine. They offer all kinds of security solutions for your WordPress website. We list the measures.

Limiting unauthorized writers on the server

What should you do if a plug-in with vulnerable code is installed? Such a plug-in might try to write files to the server, which could be of interest to attackers. If a plug-in is abused, it can continue in a vicious cycle until a site is completely unusable. WP Engine limits writes to the server. This means that only authorized users can write files to the server, limiting the extent of the damage.

Common security problems

Some users may know that the XMLRPC.php file exists on your WordPress site to help external apps post WordPress messages. Unfortunately, some attackers are aware of this file and try to abuse it by making false POST requests to this service. That means attackers can try to hack your website with this file. Fortunately, WP Engine blocks these types of attacks. WP Engine automatically detects malicious requests that attempt to abuse XMLRPC.php files.

Database containment

The best practice when developing a WordPress website is to manage all the individual users of the WordPress sites. This is a “containment strategy” that states that if one database is compromised, the others are not at risk. But managing many usernames, passwords and keys can be confusing and frustrating. WP Engine maintains separate databases and users for all sites. We maintain all security aspects of users and passwords to make it easy for you. A WP Engine site is automatically connected to the appropriate database, just like a WP Engine user portal.

Unauthorized configuration changes

Some of the most important settings on the Web site are managed by a limited number of configuration files. Those files should never be accessible or worse, editable by the outside world. Who gets access to these sensitive files should be an informed choice. WP Engine protects website configuration files and uploads. Security is automatically placed at the server level.

Counteracting weak passwords

Site administrators bear responsibility for ensuring that all users on their sites use secure passwords. Ensuring that users choose secure and unique usernames and passwords can be a chore in itself. We make it easy. WP Engine requires all administrators, authors and editors to use strong passwords.

Encryption of user data

For privacy reasons, user data must be encrypted. This involves all the data that users enter or leave when they have been on your website. For example, when filling out a form, creating a profile, posting comments or entering personal information at checkout: you are responsible for securing this data. WP Engine provides SSL certificates that provide a layer of encryption and ensures security. User data entered on your website is therefore not vulnerable.

Encryption of files

There are security risks involved in moving or sending files. If those files are not encrypted, anyone on the network who can access the files from that private site can look in. We provide file security. WP Engine enforces secure file transfers. We use Secure File Transfer Protocol (SFTP) for all local connections to your websites. This means that data is encrypted both when uploading and downloading content to and from the website.

Invalid login attempts

When an attacker tries to brute force a Web site, it means repeatedly trying username and password combinations until he finds one that works. You might think it would take ages for this method to work, but nothing could be further from the truth. A bot using brute force methods can try thousands of combinations within seconds. WP Engine therefore blocks brute force login attempts. The system identifies when a login attempt does not come from a real user and returns an empty response.

Countering spambots

Bots can be tricky to detect. They are automated devices programmed to hit sites for a number of purposes. They may be invisible to you because these devices do not load JavaScript, including Google Analytics scripts. Some bots specifically target spam sites with additional traffic. WP Engine blocks bots that misbehave. Bad behavior is identified and blocked so you don’t have to.

Secure backups

What if your site contains a code vulnerability and it is hacked, corrupted or worse? In the event of a data breach, it’s good to know what the options are. If you do not make regular backups of the website, then the problem is often worse. WP Engine makes nightly backups of the website. You can then restore all or part of a hacked website with a single click in the user portal. This is useful not only in the case of security problems, but also in any other kind of error. In all cases, you can quickly and easily restore a Web site to a backup.