Security Weekly

How to Automate WordPress Security for Care Plans

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 19

In the previous two issues of Security Weekly we’ve talked about the importance of WordPress maintenance plans and why the essential maintenance and security plan has to come with every professionally built WordPress website.

To make this sustainable for the agency, such maintenance and security plan have to be automated as much as possible. Let’s explore some of the ways how an agency could automate some of the WordPress maintenance & security tasks.

Patching security vulnerabilities automatically

The most important thing when it comes to WordPress maintenance is to keep the software updated and install security fixes before the hackers get to exploit them. You’re in luck, because most plugin developers release fixes before the vulnerabilities are made public.

If you know which versions of WordPress core, plugins and themes are vulnerable, it’s possible to set up selective auto-update mechanism to execute as soon as a fix has been released.

Unfortunately, there’s always a risk that some updates may break something on the website, but this approach makes that risk a lot more tolerable when the potential outcome of not doing so may result in a website being taken over by a hacker.

In case you didn’t know, you can both monitor vulnerabilities and set up auto-updates for security fixes with the free Patchstack community plan (you can set it up for up to 10 sites for free).

Mitigating security vulnerabilities automatically

Unfortunately, around 30% of security vulnerabilities found in WordPress plugins and themes are not getting fixed by the developers in time. In such situations, the hackers have the ideal opportunity to exploit a vulnerability before anyone could update.

If it’s a vulnerability that is known, the best way to mitigate it is by deploying a virtual patch. Virtual patches are highly precise security rules crafted for specific security vulnerabilities. They intercept requests inside the website and block malicious actions against the specific vulnerable functions.

Virtual patching relies heavily on exceptional vulnerability intelligence, but it makes it possible to address new security vulnerabilities in the fastest possible way without any risk of breaking the site as it does not change any code.

While most vulnerabilities that become mass-exploited are publicly known issues, there’s also some cases where vulnerabilities are exploited before anyone knows about them – these are called zero-day / 0-day vulnerabilities. There is no silver bullet to mitigate zero-days that are unknown, but applying a general purpose WAF such as Cloudflare may be helpful in some of the simple cases.

Host the site on a managed WordPress host

Great managed WordPress hosts take care of the infrastructure updates & patch lower level security vulnerabilities which you can’t. Some of them also come with network & server level firewalls and have proper server configurations done for WordPress.

Most importantly, look for a managed WordPress hosts that offer regular server-level backups and a malware scanning (that also scans backups). Knowing when security has failed and having clean backups ready can significantly reduce down-time and cost to recover from a breach.

Restrict WordPress admin access

If you include the security & maintenance plan with all websites by default (I hope you do), then in most of the cases customers don’t need an admin access. Admin accounts should not be used for every day content editing.

For any privileged accounts, make 2FA mandatory by default. While you cover the security & maintenance of the customer website, a single user with a re-used leaked username and password (especially if admins) can make all the work you’ve put into security mean nothing. Don’t take that risk.

If you really want the WordPress ecosystem to become more secure then the least you could do is avoid giving out admin access to users and make 2FA a mandatory (especially when they demand admin access).

Conclusion

Let’s be honest, the most essential maintenance requirements are entirely connected to security. The great thing is that the three most critical security aspects: vulnerability management & mitigation, backups and malware scanning, and access management can be automated.

As an agency, you need tools that give you overview about all sites and make it possible for you to report back to the customer, letting them know what has been done and how they are being kept safe.

Safety is the base need – once that is covered, you can improve performance and offer other services which can move the customer to a higher tier maintenance plan.

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 21

Why You Should Avoid Nulled WordPress Plugins

Every once and a while, I see a new GPLClub-like marketplace, that is selling nulled premium …

Week 20

Why You Should Avoid Abandoned WordPress Plugins

Something that has been coming up a lot lately is the issue of abandoned WordPress plugins …

Week 18

How to Set Up a WordPress Maintenance Service

When it comes to security, maintenance is essential. When ever a company or a person reaches …