Our recipe for WordPress security

by Andy Reading 22 Jul 2016

WordPress is a powerful and secure content management system (CMS) when used correctly. The quality and security of a WordPress-based website relies on the knowledge and approach of the developers. Castlegate IT are expert developers in WordPress and understand how to use it to build professional, robust and secure content-managed websites.

There are many things we take into consideration when securing WordPress, and these considerations evolve as WordPress, and WordPress exploits, evolve too.

Bespoke themes & plugins

Our approach with WordPress security starts at the very beginning of development. There are countless themes and plugins available for WordPress, many of them carrying hidden vulnerabilities and completely unmaintained. These are perfect targets for attackers.

When vulnerabilities are discovered in popular themes or plugins attackers will exploit them, because the large number of websites using them increases their chances of success. By building completely bespoke websites, we’ve already protected our clients against the most common attacks.

Bespoke themes

Many off-the-shelf themes come with a wide array of customisation options and integrations with third-party plugins. All of these extra features and added complexities are rarely required and have potential security implications.

We develop bespoke themes from handcrafted HTML, CSS and JavaScript, tailored to the exact requirements of your website, with nothing else added. This simple and minimal approach means every feature is carefully tested and secured.

Bespoke plugins

With the exception of one or two carefully audited plugins, every piece of functionality in our WordPress websites is provided by our own bespoke WordPress plugins. We don’t install obsolete, poorly coded, insecure or unmaintained plugin functionality from third party developers.

WordPress updates

Keeping WordPress up to date is the top priority for keeping a website secure. Once a vulnerability in WordPress is discovered it does not take long for attackers to begin to exploit it.

We offer two maintenance services to our clients to keep their WordPress updated, from yearly audits to daily notifications of updates. Each new release is analysed to determine any risk to our clients using earlier versions.

Security certificates

We recommend all our clients install an SSL security certificate on their website. A security certificate encrypts data sent between your computer and the website; this means your login credentials are sent as securely as possible.

Security certificates are no longer something you expect to see only on online banking or ecommerce websites, SSL certificates should be used when any sensitive information is captured by a website – which includes the password you use to edit it. A secure connection also has benefits for your search engine rankings!

Unused features

WordPress comes with many features, many of which our clients do not require. Many of these features can be utilised by an attacker to gain more access to your website. We disable any potentially dangerous features if they are not in use.

Security plugin

We don’t like to rely upon third party plugins to secure our websites. Doing so puts your website in the hands of some unknown developer. Freely available security plugins include a vast array of options designed to protect users from issues that may not be relevant to our websites. This comes at a performance cost.

Since our websites are bespoke, they also require bespoke security. Our own security tool is now installed on every website we build, and we are continually updating it against the latest threats.

Security procedures

We’ve put in place a continually evolving set of standards that all our WordPress websites follow. We carefully follow these guidelines for each project. These guidelines are built upon the common best practices for WordPress security, with our own additions and enhancements.

Building secure WordPress websites