Why should you run a website security audit?
A website security audit means checking certain items to be sure that everything is as secure as possible. Keeping your website and your visitors secure will keep information, finances, and your reputation safe.
When should you audit your website’s security?
At RED, when we take on a new client with an existing website, we run a website security audit to ensure that the site meets our security standards. This has the double benefit of helping us get to know the ins and outs of the website, and confirming there are no known security vulnerabilities from the outset.
For those who have signed up for a recurring security package with us, we audit their security on a regular basis to ensure everything is running smoothly and securely. We keep up with the latest security news to be sure we’re doing our best to keep our clients’ websites safe.
If you choose to verify your website security on your own, we recommend you do so once a year at a bare minimum; quarterly or monthly would be even better. Keeping your website secure is important for your visitors and your organization.
If you want to do your own website security audit, here are some things you should check.
- Are you using secure file transfer protocol?
If you use FTP (File Transfer Protocol) to upload files to your website, often with a client like FileZilla, are you using SFTP (Secure File Transfer Protocol) or FTPES (Explicit FTP over SSL/TLS)? There are pros and cons to the different types of secure file transfer, but the important point is that you should be using a secure file transfer protocol, and not plain FTP.
- Are you making regular backups of your website?
Backups are essential – as some of us typically find out after we’ve failed to back up our favorite files or photos, and lose them all to a data or hardware incident. Websites are also prone to data loss, so be sure you’re running regular backups so you can restore if necessary.
- Are your WordPress software, plugins, and themes up to date?
In our experience, the most common attack vector for a WordPress site is through vulnerabilities discovered in plugins or themes, or even the WordPress software. In many cases, the issue is patched in a more recent release, so it’s important to keep your WordPress, plugins, and themes up to date to close any holes that are discovered.
- Have you removed inactive plugins, and any plugins you no longer need?
If a plugin has a vulnerability and has not been patched, it’s best to find a replacement before the hole can be exploited on your website. We’re happy to help if you need a plugin recommendation.
- Are you using a custom theme, and do you know whether it is secure?
First of all, don’t download “nulled” themes. A “nulled” theme is a pirated copy of a paid theme. Besides the ethical concerns, sometimes the pirates add their own obfuscated code inside the theme, making your website advertise their products through hidden links – at best. At worst, they could have installed a “back door” which would give them access to your website without your knowledge or permission. You can verify your theme’s security at https://themecheck.info/.
- Have you audited your users lately?
Remove any users who have moved on and no longer need access to your website. If you plan to remove the user completely, but the person has written pages or posts, be sure to attribute their content to another user before removing them so you don’t lose that content. If someone on your team has moved on, but you want to keep their byline on blog posts, you could demote the person to be a subscriber. Another best practice is to grant users only as much power as they absolutely require. Don’t make a user an admin when all they do is write blog posts. A contributor, author, or editor role would meet your needs for this purpose.
- Is your site using a firewall and a file scanner?
We recommend both Wordfence & Sucuri for these purposes. Our preference is to use Wordfence’s plugin, and Sucuri’s scanning service, because sometimes one finds issues the other doesn’t.
- Is your website running on a recent version of PHP?
PHP is the programming language that WordPress uses. Just like for plugins, software, of themes, the version matters, because older versions no longer get security patches if vulnerabilities are discovered. Learn more about PHP and why your version matters. If your web host doesn’t offer an up to date version of PHP, check out our list of recommended hosts and consider switching.
- Have you disabled file editing?
By default, WordPress allows you to edit files through your admin area. We recommend disabling this option because if someone hacks into your website from the admin area, it leaves the files open to them as well. If you edit a theme file and make a tiny mistake – let’s say, a missing semicolon – it could break your website and make it unusable. Later versions of WordPress handle this better and should check your syntax, but to be safe, we suggest keeping this turned off. See how to turn off file editing.
How else do you verify that your website is secure?
Let us know in the comments!
If you’d like a one-time security audit of your website, get in touch.
Or if you’d like us to take care of security for you on an ongoing basis, so you can spend your time on your organization’s main mission, check out our security packages.