Security September Series
- Why Is WordPress Website Security Important?
- WordPress Admin Area Security Best Practices
- 5 Best WordPress Security Plugins and Solutions
- All You Need to Know About WordPress Security Keys and Salts
- Scanning Your WordPress Websites for Security Vulnerabilities
- Securing WordPress Websites Against Brute Force Attacks
- How to Secure and Optimize WordPress Database?
- Is Removing the Fact Fact That You Use WordPress Helpful?
- WordPress Hosting Related Security Measures
- The Complete Beginner’s Guide to Fix Hacked WordPress Websites
- Addressing the WordPress Is Not Secure by Default Argument
- WordPress Backup Plugins to the Rescue of Hacked Websites
- Detecting and Removing Backdoors From a Hacked WP Website
- What to Expect from a WordPress Security Solution/Provider
- Is the Free SSL Certificate from Let’s Encrypt Safe?
There are so many WordPress security solutions and security providers in the market that one has to struggle hard to find and settle with one. There are a lot of things that a security solution or a provider should take care of. This post is about what users need as a security solution. What are they ready to pay for. I am writing this post with three kinds of people in mind.
- The USER: If you want someone else to take care of your site’s security, you should read this post to find out about what to expect from your security solution and provider.
- The FREELANCER: If you develop WP websites and don’t take on the client’s’ security work, you are are leaving money on the table. You are adding lesser value than you can. Read this post to find out how.
- The SECURITY GEEK: If you pay your bills by helping secure WP websites, i.e. you are a security solution provider, then you should read this post with a business point of view to find out what is that you are not providing to your users. What is that they expect you to provide.
Even if your site is not very prominent or highly ranked, it can still be on a hacker’s hit list. In fact, hackers target small sites more often because they normally don’t take measures to prevent such attacks. It’s quite even possible that some automated program is currently trying to hack your site while you read this post, and that you are unaware of it.
If your website is important to you, you need a security strategy. You need to spend more time on what you do best and let the security consultants and geeks handle your site security. Let’s say that you have figured it out; you know the worth of your site, and now you are looking to hire a security provider. This post will prepare you for what to expect.
So, you are a freelancer. You develop websites or maybe you are a super admin who manages websites for their clients, takes care of updates and everything. You, my friend, need to know that every project has a potential to go big. Every single time clients spend money on having you build a website for them they need that website for good. They do NOT want to lose it or their online data by getting hacked.
This means that you need to pitch them with a security consultancy gig. Yes, you heard it right. You need to read this post to find out what your clients need from a security solution provider, and then you need to partner up with a security geek and act as a relay. Work out a per client basis partnership with them. This way you get paid more, but more importantly, you add more value. Your clients stick with you, and we all love the repeat client work from good clients — don’t we?
The SECURITY GEEK
You make your living by providing security services to WordPress website owners. You most definitely know more than I do as far as the topic of “Security” is concerned. But the fact of the matter is, I have a business advice for you. I have been working with WordPress for about ten years now. I have built several WP products some of which got acquired, some did pretty well and others didn’t.
Most often when I ask WordPress users about their security plan, I get answers like: “Yes! I have a very strong username and a password.” This approach may work as far as brute force attacks are concerned, but there’s more to be done here. To handle every minor to major vulnerability users require a rock solid security strategy and someone who monitors their site 24/7. You need to build that security strategy. You need to know what to offer your users, what they need from you as a security partner. You also need to reach out to the freelancers and help them sell more of your services. That’s what this post is about.
Let’s Take a Look at It
In this post, I will discuss different types of security strategies which can be employed to secure a site website. Then you will learn what to expect from a WordPress security provider company. What to offer your clients if you are a freelancer and what should be part of your security strategies if you are a security provider.
WordPress Security Strategy
Every WordPress site must devise a well-constructed security strategy including preventive measures like regular backups, scanning files for malware, monitoring file changes, DDoS attack mitigation and spam-fight mechanism. The way I see it, there are three types of security strategies.
Free security is the first step towards securing a WordPress website. It involves utilizing security plugins to secure the site better. It is the solution which most WordPress users employ. However, it is not necessarily the most effective one. This solution might cost you zero dollars, except the time which you spend while configuring the security plugins.
Since this solution involves the use of free security plugins, you cannot count much on them. Why? Because free plugins are accessible to everyone (even the hackers). So, even the popular plugins like iThemes Security, Wordfence Security, and WP Limit Login Attempts, etc. can become vulnerable to hackers not necessarily due to negligence, but due to human error as well.
What’s in It for You?
- The USER: You need basic preventive measures. Free solutions like the plugins that I mentioned can provide enough security. Make sure the security partner you hire is using one of the recommended plugins throughout this series.
- The FREELANCER: You can start providing a very basic security maintenance package by simple using iThemes Security. Buy developer license of iThemes Security which costs $150 and helps secure an unlimited number of websites for your clients. But my recommendation would be to find a security geek and partner up.
- The SECURITY GEEK: As I mentioned earlier, there’s a need of security partner. You can build up a service and sell it like a product. Simple security maintenance service which costs a specific amount on a monthly or yearly basis. Monthly recurring revenue is better than big consultation gigs.
All websites are prone to get hacked regardless of what you do. In-house security setup is what we are accustomed to finding out for huge sites like The Next Web and Mashable. Where they hire an in-house security team or a security solution to help fight against such hacks. This ensures a timely response in case of a security breach. Such sites handle large spikes of traffic every month so, they can’t afford their site to crash down even for a few seconds. In-house security services are the best-fit solution for them.
What’s in It for You?
- The USER: You most definitely can use something like that. But it will cost you a good deal of money. If you don’t have that, then I suggest you set the right expectations.
- The FREELANCER: Can you provide a service where you can help several businesses as their in-house security consultant? Yes, you can. What you need to do is prepare yourself. Find the best security solutions and partner up with a Security Geek.
- The SECURITY GEEK: There’s more from where this came from. You can build a strongly opinionated security workflow, which can help you automate the security checks based on your personal skill set as well as the security tools. Most freelancers who want to partner up with you, do not want to deal with security’s mumbo jumbo. Provide them a one window solution to all of it and act as their in-house security solution. There’s more money in this.
In a vendor-based security solution, you can seek for services from one or more security providers. Sucuri, SiteLock, CodeGuard, and VaultPress are a few trusted names in this domain. You should look for specialized security services. These companies have developed intelligent software for malware scanning and monitoring systems to best serve their customers. This is the most recommended option on the list.
What’s in It for You?
- The USER: If you are a high-end tech user, you might get away with hacks by using a security vendor like the ones I mentioned above. Yes, it’s going to be a bit of a hassle, you’ll have to communicate, and you’ll have to know a thing or two about security. But if you do have time, you are kinda short on budget, and if you trust yourself enough, you can try and check these solutions out. I have personally tried all of these, but I am a developer. It’s up to you.
- The FREELANCER: These are the companies which you might want to partner up with, to have them as your security partners. You can act as relays in between them and your customer and earn both extra monthly income as well as customer loyalty (which translates into word of mouth).
- The SECURITY GEEK: You are a top notch security consultant. Yes, you know these services exist, but you only work with a selected few clients, you charge them a premium — which is quite worth it for them but you end up saying no to a lot of startups to medium end clients because they cannot afford your services. You’re leaving money on the table by not utilizing these vendors. Build an automation workflow, reduce your rate by 50% and let in small and medium clients where 90% of their security work is handled through these vendors and they get 10% extra care by paying you your worth at the same time.
What to Look for in a Security Provider?
Before you chose a security provider, you should know how to choose the one. The remainder of this post delves deep into things that one should look for; in security providers.
This is the most important skill set. The company in question should know their stuff. They should have a team of people well-versed in technical matters.
There ought to be teams focused on inspecting, detecting and fixing security vulnerabilities in websites. Technical expertise to fix recently discovered security loopholes in plugins or otherwise. The more experienced they are, the faster they would be able to release patches for discovered issues. Some providers like Sucuri selectively block unpatched security vulnerabilities with their website firewall.
- The USER: Take a look at your potential security partner’s blog. It will tell a lot about how serious they are and if they know what they are talking about. Take a look at their newsletters’ archive, do they inform their clients about latest important security workarounds?
- The FREELANCER: If you do not write about your service, no one would really care. If you know something, why are you not writing about it? Writing about it helps you build an audience. That audience converts into potential clients.
- The SECURITY GEEK: You need to be a thought leader. You need to pick a particularly small niche inside or outside security circles and master it. You need to be THE security provider in your niche. The more you write about it, the more authority you can attract. Get your freelance-dev partners and clients to talk about the level of expertise you have. Get them to make video testimonials about how you have helped save their website. If you are not doing this, hire someone to do this for you.
An authentic security provider should take regular off-site backups of database and server files. Why? Because despite your best efforts, sometimes it is inevitable to prevent a hack. Sometimes, a plugin or theme may produce a security loophole for hackers to exploit. Other times, hacks take place on the server level. The security provider must take regular snapshots of the entire WordPress installation (core files and database) to an off-site server (not the same server where your site is hosted).
The integrity of files and database is as important as the backup itself, so part of their strategy must include separating tempered data from the trusted one.
Can’t Get Away With It
- The USER: Seriously, this should be a prime factor in your decision. If your security partner is not providing you with a one click/request backup and restore solution, you should drop them right there.
- The FREELANCER: Backups are important. Back in the day when BackupBuddy was a new plugin, it was everything I needed. Most of my clients needed me to keep up with their sites and to have to deal with the hosting companies’ backup was a mess. Now there are so many solutions to backup, restore, clone, and even stage a WordPress website. If you are not going to provide your clients with this service, you potentially stand to lose thousands of dollars in revenue every single year. Just do it. Figure it out. Read my post about WP Backup solutions.
- The SECURITY GEEK: I know you are well versed with everything that has to do with web security, but you should be careful while working on a backup solution. In my humble opinion, you should not spend a lot of time on this one. For every project you handle, you need a rock solid one click backup, restore, clone, and stage solution. Go ahead and partner up with one of your favorite solutions and get yourself a custom offer. Do security, but let the folks — who have built complete backup solutions — handle the backups for you.
Quick Alerts With SMS and Email
A security provider should provide you with quick and timely alerts. Such a feature that notifies you of available updates failed logins, file changes and any suspicious activity taking place on the server as well as client reports of what’s going on a weekly to monthly basis. There should be a possibility of receiving notifications on the phone as well as through an email. So in case, there is a bigger threat, you should know about it.
Icing on the Top
- The USER: Make sure if you are using a free security solution, you get updates about file changes and logs, etc. So, that you can keep tabs on your site security. But if you are partnering up with a security consultant or geek, you should expect to be only notified in the form of client reports — filed with the updates related to your site’s security.
- The FREELANCER: If you are going to provide your clients with a security solution based on retention, you cannot get away with not providing timely updates. Communication is the key factor of retention for any client. If you fail to communicate what they are paying you every single month for — then my friend, this won’t work.
- The SECURITY GEEK: You need to set yourself apart. Every security consultant out there is providing their clients with automated updates of technical mumbo jumbo. You need to communicate the way that a client would understand. “Someone tried to get in — but we stopped them” is a much better copy than “We stopped 43 brute force login attempts on wp-login.php”. Get what I am talking about here? Sell yourself to humans and not robots. Providing SMS updates would be icing on the top. Why are you not doing it already?
Scanning and Logging
Scanning plays a huge role in security. Detection of malicious code, a backdoor or malware in the database is critical. Scanners look through the server files and database data for malicious activities and report back. The security provider should keep a log as well. Knowing what files have been changed, edited or deleted by a nasty script helps in this kind of forensic security work.
- The USER: A good security provider should have scanners and audit logs in place. So anything undesirable gets detected and anything unauthorized should be logged and dealt with.
- The FREELANCER: Vendor based services play a great role here. There’s a learning curve here, but if you try hard enough, you can get over it. Or else just leave it to your security partner.
- The SECURITY GEEK: This is exactly the kind of work you have the expertise for. This is what no one else but only a real deal can do. You most definitely need to have a scanning workflow, and you need to advertise it. You need to write about how you help save your clients’ sites. It’s vital to connect this scanner of yours with security alerts. Both for yourself and for your customers. If the situation is alarming enough, there’s no need to shy away from not notifying your customers.
Staying Up to Date
One of the best things you can do to stay secure always stays up to date. Keep the plugins, themes and WordPress itself updated. WordPress community discovers security loopholes every now and then and to fix them, a new version with security fixes gets released. What changes were made in a particular version of WordPress become public knowledge?
Even hackers can read these security fixes and learn about them. So after a WordPress update is released, get on to the latest version as soon as possible.
The Difference Maker
- The USER: Look for a security provider which updates WordPress for you. Updates of plugins and themes also contain security vulnerabilities. A good security provider makes sure your website is up to date.To notify you of all the available updates.
- The FREELANCER: Keeping yourself up to date with the WP Security updates should be on top of your priority list. You should know when there’s an alarming situation for one of the plugins being used by your clients. Informing them beforehand, the eve before there’s a patch with a set you apart from every other security service. It’s hard, but that’s the way it is.
- The SECURITY GEEK: Do a line by line code reviews and deploys. Yes, mimic what WordPress VIP does for its high-quality clients. This is the service which I have not seen anywhere else. You know your market — tell me how many competitors are providing line by line code reviews + deploy services? You can offer it as an add-on. Whenever there’s an update or a custom theme/plugin, install you can get paid to review each line of code. That way you can help your client by making sure, their sites are safe and while reviewing you can give back and contribute to the original code hence winning authority by helping others.
Popular WordPress Security Providers
There are many popular WordPress security providers. Here are a few notable names along with the description of their features.
Sucuri is the most popular and trusted name in the WordPress security niche. They offer most advanced and comprehensive security services. If you are serious about website security, look no further than Sucuri. It comes bundled with website firewall, antivirus, malware removal and scanning services. Worried about incessant brute force attacks? Sucuri firewall got you covered.
Firewall: Sucuri website firewall acts as a middleman between users and your website server. It separates malicious attacks, mitigates DDoS attacks, brute force attacks, bots and unknown user-agents from legitimate traffic, allowing only legitimate traffic to reach the server.
WP Plugin: Sucuri improves your site security dramatically. Since non-genuine traffic is blocked from the site, the load on the server decreases.There is a free Sucuri WordPress plugin available too. It offers several basic functions.
How Can Sucuri Help You?
- The USER: If you are a tech-savvy user who wants to keep things in control economically, you can try Sucuri out and let them handle your site security. It won’t be a complete hands-off solution, but you most definitely will stay secure as well as save a few bucks.
- The FREELANCER: When I started offering security services to my clients, at that time most of my clients — they didn’t like the technical mumbo-jumbo. They wanted a hands-off security service. They wanted it “Handled”! So, that’s what I provided them with Sucuri. I acted as a relay between my clients and Sucuri, and it turned out to be a total Win, Win, Win situation. A win for secured sites for my clients, and Sucuri & I — we both got paid.
- The SECURITY GEEK: I know you are a security professional, and you probably have a very strong opinion about whether to use such vendors or not. But let me once again present you with the idea of your business at scale. It’s fine to only have high paying clients, but my guess is you are letting go off many folks who cannot afford your security services. If you can incubate them by using a vendor like Sucuri, it would be great for your business. Because right now, you are leaving money on the table.
CodeGuard is another big player in the security industry — they specialize in taking backups and provide you with an easy to use backup/restore SaaS.
Backup/Restore: Yup! It is a backup and monitoring service. CodeGuard takes backups of your server files and databases regularly. You can restore your site from any point with a few clicks. You can also download contents of your site backups and deploy them on another server if you want.
Monitoring: It monitors daily file changes. You can view modifications, deletion, and an addition of each version of your website in the dashboard. Email notifications are also sent to inform you about what was added, deleted or modified. You can schedule the frequency of the monitoring. As I said earlier, monitoring is absolutely critical to website security. CodeGuard takes monitoring to the next level. They also have a bunch of other security services.
Where Does CodeGuard Fit?
- The USER: Do you have a sensitive application, where you need to be careful about how you take backups and revision your data. That’s where you can use CodeGuard. Its ability to offer restoration points and easy to manage revisions is far superior to many backup solutions that I know of.
- The FREELANCER: This is a tricky one. It’s a costly solution for your business, and you might not want that for a backup solution. It would be hard to offer security services as well as backup service from CodeGuard and still make a few bucks on top of it. Why? Because your target price of a security retention package must be lower than $100 a month. So, yes! Offer CodeGuard to only the clients who need such features and are willing to pay more for it.
- The SECURITY GEEK: You probably have a bunch of high paying clients who can use a premium CodeGuard backups service. Take a hard look at how it works, and you might like it — I did.
Real-time Backups: VaultPress ensures to maintain an up to date backup by taking daily and real-time backups. The backups are stored in their world-class infrastructure.
Scanning & Security: They take daily scans of your site and make it easy to review and address threats. So, with a world-class backup service you get free security and scanning service as well as support from security veterans.
Impressive Feature-set: Among its impressive features is the ability to show you VaultPress activity in real time. You can view changes being synced on a certain file through the admin bar. There are many other useful features of VaultPress:
- It restores backups in a single click.
- Download the entire history of backups selectively (database, uploads, themes, etc.).
- VaultPress scans your entire site every day to avoid malicious attacks.
- Backups are stored on the same infrastructure as WordPress.com’s sites.
For $99/year, you get aforementioned features, spam protection and much more.
How Can VaultPress Help You?
- The USER: If you want to get away with the easy backup solution that helps you with your site security as well, then VaultPress is the way to go. It’s more economical and deeply connected with WordPress. You’ll also get great support from their team — though, and you’ll have to be a bit tech-savvy.
- The FREELANCER: If your client’s priority is to have a backup solution and some sort of security services, then this is it. You can probably build the lowest tier backup/security maintenance package by relying on VaultPress services.
- The SECURITY GEEK: For you, it really depends on the tools of your choice. If you like how VaultPress works, then that’s the way to go. I have nothing to add here except the fact that this is probably the most reliable solution as far as the service-price is concerned. And you know VaultPress does everything the WP way. Automattic is a no joke!
ManageWP & SiteLock
These two services deserve a mention here, even though there are a few caveats that I’ll address shortly.
ManageWP: I have written a complete review of how new ManageWP Orion works. I like it and use it all the time. They have been mostly into the WP maintenance services, but they just released an automated security check feature.
I haven’t tried it yet, but I believe it’s a good start. While this is not a complete security solution and service provider right now, it can still be very useful. Keep an eye on ‘em.
SiteLock: SiteLock is an internet security giant! I think it is bigger than all the services that I have mentioned in this article. They offer site scanning (Vulnerability Scanning and Malware Detection), fixing (Fix Eliminate Backdoors, thatAutomatic Malware Removal), preventing (DDoS Prevention, Backdoor and Mitigation SQLi & XSS Prevention), global CDN based acceleration and PCI WAF compliance — That was a lot to take in!
All I want to say is, SiteLock knows what they are doing. They have not been very much involved with the WP community, but lately, they have hired my friend Adam Warner (nice strategic move there), they have started to give back to the community, and I have been told they have an interesting WP plugin getting released pretty soon. I’d say keep an eye on this company as well.
What do I Use?!
That question again? I use all sorts of solutions. A bunch of my sites uses VaultPress, ManageWP, CodeGuard, and I am also going to try out SiteLock pretty soon and then there is iThemes Security Pro. Each of these companies has different feature-set, and many of them fit in very well with several projects that I manage.
All that and Sucuri is my go to security provider for clients. Why? There are a number of reasons for that. First and foremost, its comprehensive nature. Of course, no security solution is 100% perfect. However, Sucuri leads the security providers because it provides many more features than its counterparts. Malware removal, scanning, monitoring of file changes, email alerts, and website firewall. You name it; Sucuri has it all.
My favorite Sucuri feature is its website firewall. The website firewall takes plenty of hacking attempts out of the equation by blocking illegitimate traffic. That way, you also save on hosting fee because of less load. Here are a few other notable features of Sucuri:
- Email alerts for successful as well as failed logins.
- If your site gets hacked, Sucuri has got your back. This plays very well for my client maintenance packages.
- It makes sure that your site is not blacklisted by Norton, Avast or search engines.
- Sucuri is packed with Audit Log, which keeps track of everything happening on your site.
There you go! Yes, I use a lot of different security solutions. I do NOT have one personal favorite, each one of them is different — it’s always better to pick and choose as per the nature of your work.
So, that was a list of things one should look for in a WordPress, security provider. Backups, technical expertise, and regular scans are some of the major things you should inquire before subscribing to any of their packages.
What do you think about WordPress security providers? What features do you seek while choosing any company? Share your views via comments.
Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.