Yet another client’s WordPress site was hacked, this time by a disgruntled employee. The site’s owner set up an admin account for the employee, but never deleted it after firing the employee. Luckily the site had changed very little since the last back up ( 3 months ago) so I was able to restore it quickly, but it got me thinking about making time for WordPress security scheduling.
The Problem with Not Having a WordPress Security Schedule
Even though I stress site maintenance and go over what needs to be done, most clients do not sign up for a service contract once their site is up and running and they receive their training, opting to handle it themselves. Invariably what happens is that day-to-day work becomes more important than running updates, backing up their site or checking that files haven’t been changed. For example, after the recent security issues with Yoast’s SEO plugin I notified all of my clients to update immediately or contact me to do it for them. Despite that, two clients with websites critical to their business were not updated until I was asked to make some other changes to their site just this week. These clients are in their site constantly throughout the day either processing orders or blogging but the updates didn’t get done.
My Tips for WordPress Security Scheduling
If their sites had been compromised their business would be non-existent, but both client still insist they can handle their security schedule themselves, so I sent them the following steps I follow when doing security for client websites.
- Consistently run an off-site backup. For people who blog daily I recommend an automatic database backup every 3 days. Most clients decide on a 7, 14 or 30 day backup set. The system I use puts a compressed backup copy in a backup folder on the site and either emails me a copy or puts it in cloud storage like Box.net. Site files should be backed up at least every 30 days, I prefer two weeks.
- Use an app to detect file changes. The app I use for myself and clients run its check weekly and I check each report that comes in. When you update plugins, themes, or post new blogs with images those changes are going to show up on the report. More important are changes to core files which show if your site has been hacked.
- Implement brute force protection. Brute force attacks are when a hacker tries to guess your login using an app (or even manually). Brute force protection will lock out the IP that has more than a certain number of failed login attempts. These reports should be reviewed as well. Occasionally I use them to block IP address blocks or even countries if the problem is big enough (.ru addresses I’m looking at you).
- Review your site to make sure it is working. Daily. A quick go-through is all that is needed and will also trigger any scheduled posts if necessary.
- Monthly Review any contact forms and apps to makes sure they are working. Sometimes an update will break functionality on your site. Sometimes your hosting provider will make changes that means things don’t work anymore. You should occasionally check that your contact forms, newsletter email form, event listings, etc are all working correctly. Note: This may seem like overkill, but I’ve worked on contact forms that we determined weren’t working for over a year before anyone noticed. The form broke when the host updated their servers.
Translating this to a to-do list, this is my routine for clients:
- Check site – front end click through 3-4 pages to make sure it is working.
- Run any updates.
- Check brute force logs (emailed to me) and add IPs to permanent blacklist if needed
- If you have ecommerce you will want to check your orders to make sure you are getting your email notifications.
- Watch for weekly database backup in email;
- Store if received (I only store current + 1 previous backup)
- Manually run backup if not received
- Watch for file change report
- Review for unusual changes if it comes in
- Manually run report/check settings if doesn’t come in
- Backup site files to off-site location (box.net or my hard drive)
- Test apps, contact forms and store checkout processes to make sure they are working correctly.
While I’m focusing on WordPress security scheduling in this article, all of these are just as necessary for static sites or sites using other content managment systems. As the site owner, if you (or an employee) can’t delegate the time for security, I’d highly recommend outsourcing it. While following a security schedule won’t ensure that you site won’t get hacked, it will ensure that if something does happens you know about it immediately and can be restored without much downtime.