25.02.2025 | Uncategorized

WordPress Site Security

3 MIN READ
Josh Wayman
Josh Wayman
Head of Strategy & Digital

Like all cyber security, WordPress security is best approached in layers. We consider 6 layers:

  1. Hosting and server
  2. Application-level security, monitoring, and scanning
  3. Web application firewall (WAF) and DDoS protection
  4. Login and access control
  5. Database security
  6. SSL and encryption

Hosting and Server

This layer refers to the hosting provider and server infrastructure that runs the WordPress website.

Your hosting provider, Flywheel, has built-in security measures:

  • WordPress core files are locked down, preventing malicious changes to the wp-config.php file.
  • Intelligent IP blocking prevents known malicious IP addresses from accessing the server.

Application-Level Security, Monitoring and Scanning

This layer involves scanning and monitoring the website for security issues.

The security layer must run on the server hosting the site. By default, WordPress does not have a sophisticated application-level security layer as it is not always necessary.

We recommend clients use the Wordfence plugin for our clients. It runs on the site’s server and adds a security layer to monitor file changes—a hallmark of malware attacks. Keeping plugins up to date, and removing inactive plugins and inactive themes is essential for site health and security. Outdated plugins are often the first vulnerability exploited by hackers.

The standard free Wordfence plan is excellent value; however, paid plans offer greater protection and security.

Web Application Firewall (WAF) & DDoS Protection

A WAF and DDoS protection filter out bot traffic before it reaches the site. Flywheel uses the Fastly WAF, which provides DDoS protection, SQL injection protection, and more.

If you desire more granular control or an extra security layer, there are a number of other WAF providers available. Our preferred provider is Cloudflare as it works well with Flywheel and we’ve had success with it. A WAF needs to be configured at the DNS level and may not work with every organisation’s DNS configuration.

Login and Access Control

Login is a potential vulnerability, either through compromised passwords or a brute force attack. Flywheel limits login attempts to mitigate brute force attacks. Additionally, Flywheel doesn’t allow insecure passwords—sorry no password1234.

Limiting the number of administrator users is a security best practice. Only provide admin access where necessary.

WordPress does not provide two-factor authentication (2FA) by default, but options exist. For instance, Wordfence has a 2FA solution.

Database Security

WordPress uses a MySQL database. Flywheel automatically obfuscates table names, complicating SQL injection attacks. Data entry methods (e.g., forms) are sanitised before entering the database. The site’s database is backed up nightly.

The WAF protects the database, and Flywheel’s Fastly WAF protects the site from SQL injection attacks.

SSL and Encryption

SSL/HTTPS is required. All site URLs are forced to be HTTPS. Flywheel provides a free SSL certificate through Simple SSL, or you can use a certificate from your choice.Enter text here, make sure it is interesting!

Josh Wayman 25.02.2025

Related Articles

From Insight to Impact

From connected data sources, to AI tools, we can very quickly access relevant and timely reports. But reports are only helpful if we take the time to understand and take action.
Data & Insights
26.02.2025

Digging for Gold 

In the age of endless data, leaders seek insight-driven strategies to make informed decisions. However, we first need to create environments that enable our teams to be insight-led.
Data & Insights
24.02.2025

Data Governance: Cultural Insights and Practical Tips

Data governance is a topic that can make even the most bright-eyed individual immediately glaze over—but it is essential!
Data & Insights
20.02.2025
Read more 16