WordPress security is a continuum. It takes a sustained effort to keep moving your site toward the secure end of the spectrum. How safe your site is ultimately comes down to your organization’s culture of security, and how well you follow security best practices.
Your WordPress hosting platform can either move you up the security continuum—or it can hold you back. To keep you from making progress, all your host has to do is nothing.
Many hosts are content to leave security concerns up to their clients. They provide nothing but the platform, and you take on the full burden of keeping WordPress updated and secure. And, of course, you bear full responsibility for cleaning up after a breach.
At Pantheon, we don’t believe in the hands-off approach. We think that if your platform doesn’t help you with security, they’re actively making you less secure. Your hosting platform can and should be a trusted partner in WordPress security.
Here are just a few ways your host should be taking an active role in moving you up the security continuum.
Keeping WordPress updated is one of the most crucial components of closing vulnerabilities and avoiding attacks. There has never been a major exploit on the most current version of WordPress. Simply put, if your site is behind on updates, you’re not as safe as you could be.
The right hosting platform makes updating simple and easy. Pantheon offers one-click updates and the ability to create scripts that automate the process. Our Dev/Test/Live workflow makes it easy to implement an update, check that everything is functioning properly, and push the change to production.
Part of creating a culture of security is implementing and managing passwords. Good password hygiene can help prevent attacks, lock out unauthorized access, and guard against “social engineering” hacks.
For more secure logins, look for a platform that supports Security Assertion Markup Language (SAML). With SAML, you can implement advanced login features like two-factor authentication and single sign-on, as well as specify minimum password lengths.
Security concerns go beyond just your site and the platform it runs on. The data streaming to and from your site needs to be protected, too. HTTPS is a security protocol that provides authentication between browsers and your website, protecting the integrity of your data and your visitors’ personal information.
As companies like Google, Apple and Facebook adopt the HTTPS standard, it’s no longer optional for your site. Sites without HTTPS are not only less secure, they’re likely to be penalized in search results. In addition, the two most popular web browsers (Google Chrome and Firefox) are now displaying warnings to users that access a non-HTTPS site.
Your hosting platform should help you get HTTPS on your site and maintain it. Pantheon took a major step in that direction this year: We now offer free, managed, fully-automated HTTPS.
When you’re hosted on a server cluster or a virtual private server, your security concerns are broader than just your site. An attack on another site on the same hardware can leave your site vulnerable, whether it’s another of your sites or just someone who shares the same provider.
Pantheon runs on a container-based architecture to avoid this type of cross-contamination. A vulnerability in one site poses no risk to other sites on the platform. With containers, we can isolate vulnerabilities and deploy fixes at scale.
Network Intrusion Protection
Brute force attacks can compromise your site’s admin login, trying endless password combinations to attempt to gain access. An intrusion prevention system (IPS) can add another layer of protection, with additional authentication and encryption standing between your site and a malicious user.
Pantheon’s IPS runs on any service with a user-chosen password. It detects failed login attempts at multiple ingress points, and prevents unauthorized host access. Then our logging infrastructure collects the identity of blocked accounts, so it’s easy to investigate and further harden your security.
If an attack does get through your security, how your hosting platform handles the incident can make a sizable difference in how fast you’re up and running again, and how much data you can recover. Many hosts make it your responsibility to detect a breach, respond to the incident, and restore what you can from your backups.
The right hosting platform will provide comprehensive support in the event of a breach. When Pantheon detects a security issue, we immediately communicate it to affected parties, and work together with our clients to close the vulnerability and restore functionality and data.
Don’t Settle for a Hands-Off Host
If your WordPress hosting platform isn’t actively helping your site security, they’re holding you back. Don’t settle for a host that leaves you on the hook for the entire security continuum. Choose a host that can extend your culture of security to your site, your server infrastructure, and out to the internet at large.
To learn more about securing your site, read The Quickstart Guide to WordPress Security.
You may also like: