Oliver Sild
Open-source security & communities
wordpress security

How to Automate WordPress Security for Care Plans

Let’s explore some of the ways an agency could automate some of the WordPress maintenance & security tasks.

by Oliver Sild

How to Automate WordPress Security for Care Plans
Photo by Dario Jud / Unsplash

In the previous two articles, I talked about the importance of WordPress maintenance plans and why the essential maintenance and security plan has to come with every professionally built WordPress website.

To make this sustainable for an agency, such maintenance and security plans have to be automated as much as possible. Let’s explore some of the ways an agency could automate some of the WordPress maintenance & security tasks.

Patching security vulnerabilities automatically

The most important thing when it comes to WordPress maintenance is to keep the software updated and install security fixes before hackers get to exploit them.

You’re in luck, because most plugin developers release fixes before the vulnerabilities are made public.

If you know which versions of WordPress core, plugins, and themes are vulnerable, it’s possible to set up a selective auto-update mechanism to execute as soon as a fix has been released.

Unfortunately, there’s always a risk that some updates may break something on the website, but this approach makes that risk a lot more tolerable when the potential outcome of not doing so may result in a website being taken over by a hacker.

In case you didn’t know, you can both monitor vulnerabilities and set up auto-updates for security fixes with Patchstack.

Mitigating security vulnerabilities automatically

Unfortunately, around 30% of security vulnerabilities found in WordPress plugins and themes are not getting fixed by the developers in time.

In such situations, the hackers have the ideal opportunity to exploit a vulnerability before anyone could update.

If it’s a vulnerability that is known, the best way to mitigate it is by deploying a virtual patch. Virtual patches are highly precise security rules crafted for specific security vulnerabilities.

They intercept requests inside the website and block malicious actions against the specific vulnerable functions.

Virtual patching relies heavily on exceptional vulnerability intelligence, but it makes it possible to address new security vulnerabilities in the fastest possible way without any risk of breaking the site, as it does not change any code.

While most vulnerabilities that become mass-exploited are publicly known issues, there are also some cases where vulnerabilities are exploited before anyone knows about them – these are called zero-day / 0-day vulnerabilities.

There is no silver bullet to mitigate unknown zero-days, but applying a general purpose WAF such as Cloudflare may be helpful in some of the simple cases.

Host the site on a managed WordPress host

Great managed WordPress hosts take care of the infrastructure updates & patch lower level security vulnerabilities which you can’t.

Some of them also come with network & server level firewalls and have proper server configurations done for WordPress.

Most importantly, look for a managed WordPress hosts that offer regular server-level backups and malware scanning (that also scans backups).

Knowing when security has failed and having clean backups ready can significantly reduce downtime and the cost to recover from a breach.

Restrict WordPress admin access

If you include the security & maintenance plan with all websites by default (I hope you do), then in most of the cases, customers don’t need admin access. Admin accounts should not be used for everyday content editing.

For any privileged accounts, make 2FA mandatory by default. While you cover the security & maintenance of the customer website, a single user with a re-used leaked username and password (especially if admins) can make all the work you’ve put into security mean nothing. Don’t take that risk.

If you really want the WordPress ecosystem to become more secure, then the least you could do is avoid giving out admin access to users and make 2FA a mandatory (especially when they demand admin access).

Conclusion

Let’s be honest, the most essential maintenance requirements are entirely connected to security.

The great thing is that the three most critical security aspects: vulnerability management & mitigation, backups, malware scanning, and access management, can be automated.

As an agency, you need tools that give you an overview about all sites and make it possible for you to report back to the customer, letting them know what has been done and how they are being kept safe.

Safety is the base need – once that is covered, you can improve performance and offer other services which can move the customer to a higher tier maintenance plan.

Member discussion

Similar topics

How to Use PassKeys for WordPress Authentication

For WordPress users, implementing PassKeys can enhance the security of your site while simplifying the login process.

Getting Started with Multi-Factor Authentication (2FA/MFA)

In this post, I'll cover the different 2FA methods that you should use on all accounts where it’s possible.

How to Deal with Incoming Security Reports

When you receive a security report, what should be the first steps, how should you react, and how quickly should you address the issue?

Are Your WordPress Sites Really Isolated From Each Other?

Let's talk about why site isolation is important and why you should make sure to choose a hosting provider that does this properly.

How to Make the WordPress Development Process Safer

Whenever you build WordPress websites, plugins, or themes, think about the workflow and how correct workflows can help you incorporate security as early as possible.