How to Automate WordPress Security for Care Plans

In the previous two issues of Security Weekly we’ve talked about the importance of WordPress maintenance plans and why the essential maintenance and security plan has to come with every professionally built WordPress website.

To make this sustainable for the agency, such maintenance and security plan have to be automated as much as possible. Let’s explore some of the ways how an agency could automate some of the WordPress maintenance & security tasks.

Patching security vulnerabilities automatically

The most important thing when it comes to WordPress maintenance is to keep the software updated and install security fixes before the hackers get to exploit them. You’re in luck, because most plugin developers release fixes before the vulnerabilities are made public.

If you know which versions of WordPress core, plugins and themes are vulnerable, it’s possible to set up selective auto-update mechanism to execute as soon as a fix has been released.

Unfortunately, there’s always a risk that some updates may break something on the website, but this approach makes that risk a lot more tolerable when the potential outcome of not doing so may result in a website being taken over by a hacker.

In case you didn’t know, you can both monitor vulnerabilities and set up auto-updates for security fixes with the free Patchstack community plan (you can set it up for up to 10 sites for free).

Mitigating security vulnerabilities automatically

Unfortunately, around 30% of security vulnerabilities found in WordPress plugins and themes are not getting fixed by the developers in time. In such situations, the hackers have the ideal opportunity to exploit a vulnerability before anyone could update.

If it’s a vulnerability that is known, the best way to mitigate it is by deploying a virtual patch. Virtual patches are highly precise security rules crafted for specific security vulnerabilities. They intercept requests inside the website and block malicious actions against the specific vulnerable functions.

Virtual patching relies heavily on exceptional vulnerability intelligence, but it makes it possible to address new security vulnerabilities in the fastest possible way without any risk of breaking the site as it does not change any code.

While most vulnerabilities that become mass-exploited are publicly known issues, there’s also some cases where vulnerabilities are exploited before anyone knows about them – these are called zero-day / 0-day vulnerabilities. There is no silver bullet to mitigate zero-days that are unknown, but applying a general purpose WAF such as Cloudflare may be helpful in some of the simple cases.

Host the site on a managed WordPress host

Great managed WordPress hosts take care of the infrastructure updates & patch lower level security vulnerabilities which you can’t. Some of them also come with network & server level firewalls and have proper server configurations done for WordPress.

Most importantly, look for a managed WordPress hosts that offer regular server-level backups and a malware scanning (that also scans backups). Knowing when security has failed and having clean backups ready can significantly reduce down-time and cost to recover from a breach.

Restrict WordPress admin access

If you include the security & maintenance plan with all websites by default (I hope you do), then in most of the cases customers don’t need an admin access. Admin accounts should not be used for every day content editing.

For any privileged accounts, make 2FA mandatory by default. While you cover the security & maintenance of the customer website, a single user with a re-used leaked username and password (especially if admins) can make all the work you’ve put into security mean nothing. Don’t take that risk.

If you really want the WordPress ecosystem to become more secure then the least you could do is avoid giving out admin access to users and make 2FA a mandatory (especially when they demand admin access).

Conclusion

Let’s be honest, the most essential maintenance requirements are entirely connected to security. The great thing is that the three most critical security aspects: vulnerability management & mitigation, backups and malware scanning, and access management can be automated.

As an agency, you need tools that give you overview about all sites and make it possible for you to report back to the customer, letting them know what has been done and how they are being kept safe.

Safety is the base need – once that is covered, you can improve performance and offer other services which can move the customer to a higher tier maintenance plan.