If you don’t actively manage a website someone else is going to manage it for you – and not to your benefit.
WordPress is the #1 targeted platform for compromise. This isn’t only due to it being so widely adopted but because it is so widely mismanaged. In the majority of these site compromises the objective is to leverage the site to host one or more components of a phishing campaign rather than stealing the data. Often this compromise goes unnoticed by the owner/operator while their site performance suffers and their ability to communicate is crushed by dozens of spam and malware tracking services.
Among content management systems, WordPress shouldn’t be the first recommendation to clients. PaaS services like SquareSpace offer some particular advantages for SEO and eCommerce in a more easily managed environment than WordPress.
- Hosting: WP Engine – stunning performance increase, dedicated WordPress platform
- DNS: Cloudflare – DNS, DDoS mitigation, much more – and a free tier of service
- Identity & Access: Trusona – free, simple and #nopasswords; paid tier available
- Hardening Plug-in: Sucuri – offers a Cloud WAF but free hardening is effective
- Monitoring Plug-in: Wordfence – free mitigation/monitoring with a paid tier option
- Management: Manage WP – an excellent platform to manage multiple WordPress sites
Regardless of CMS, Cloudflare is arguably the best choice for managing DNS and mitigating distributed denial of service (DDoS) attacks.
Patch & Update Or Be Doomed
Hardening a WordPress site manually, even with the wide selection of guides online isn’t always a technical option for site owners, but good security plug-in choices can be.
Last, but certainly not least, these recommendations are pointless if a WordPress site is not kept current in terms of the WordPress version, Theme, and Plug-in updates. Without a plan and commitment to doing that, consider the PaaS offering at WordPress.com or SquareSpace which has a much lower management burden (and consquently less customization and attack surface).