Don’t count on your host for a fully secure WordPress site

Developers, site owners must do their part

I have spend a good part of my WordPress career in site design, support and coaching. During those years I cannot tell you how many times I found an email in my inbox that had this somewhere in it:

“My site was hacked. What do I do? Why did my host let this happen?”

It’s that last part that always jarred me. So often for users, the host is first in line to blame. It has to be about the host, right? How else could such a horrifying thing happen?

It’s the people.

Let’s break this down.

Secure WordPress Servers

Your host is taking care of lots of sites — hundreds of thousands of sites, possibly millions. Their priority is to protect their servers. You can be reassured they have measures in place to keep those hackers from getting into their hardware. While nothing is guaranteed when it comes to security, they are more than aware of your needs. And it can be true, some hosts might have higher security standards in place, or they might have extended plans to give you even more security. But they can only do so much.

Why is that?

Because they cannot become the babysitter for each and every single WordPress site on their servers.

 

I am doing a series in my podcast over on the WP eCommerce Show about eCommerce, WordPress and Security. You can listen to it here. But there was one quote from my guest Dre Armeda, co-founder of Sucuri.net, that rang true and fits the subject like a glove:

“Think about physical security and everything we do. It’s great, you have this bitchin’ alarm system, and cameras, and the whole nine. But if you don’t turn them on, it’s not going to work. Who is it up to turn them on? It’s up to the users. That’s the biggest problem.”

It’s up to site owners to do their part, and developers to hold them to it.

For example, when your client changes a password, WordPress will create a newer, stronger password for them, but they click “Confirm use of weak password” because it’s easier for them to remember.

The host also cannot force site owners to keep all plugins and themes updated. Hosts cannot keep them from finding and installing themes and plugins that are not trustworthy and may be filled with malicious code.

In reality, the host cannot hold your hand and they can only do so much on their end.

Managed hosting: a more secure WordPress

As developers, you know managed hosting services like GoDaddy’s Managed WordPress are often the best option for developers and clients alike.

You will get hands-down better security for a WordPress site with a managed host.

 

They usually have more security checks in place, as well as the capability to provide consistent auto-updates. Auto-backups are also typically included. Help your clients understand the benefits of managed WordPress hosting, especially when it comes to keeping their site secure.

How?

It’s simple. Take control and responsibility back from the host.

Make sure, when needed, that you do those tasks that are not the responsibility of the host for each site you manage. For most developers, site security is built into ongoing maintenance plans for clients. If you’re not currently offering the service, give it a shot! You’ll quell the nerves of anxious clients, and make additional revenue on the side.

Here’s a few things you can include in your service:

  • Keep site infrastructure constantly updated.
  • Provide counsel on plugin and theme best practices for research and installation.
  • Maintain consistent backups, whether it’s with the host, a plugin or service.

Using a service like Managed WordPress can help secure WordPress — keeping both yourself and your clients at ease when it comes to site security. This type of managed hosting allows you to keep an eye on all your sites and can make for easier management.


Also published on Medium.

Image by: Garrett LeSage Flickr via Compfight cc