30 WordPress Security Questions Business Owners Need to Ask

Many business owners assume they can turn to their in-house IT professional to help with website issues. It’s certainly cost-effective to get someone who already works for you to manage your website. But just because your IT person does a great job of managing your local network doesn’t mean their knowledge extends to websites.

Is your IT team up to the task of managing your company’s website? Before you put another thing on their plate, ask them the following questions. Anyone you trust to manage your website should give a similar answer to the ones we’ve provided below. If not, it’s time to start looking for a WordPress security expert.

Hosting + DNS

• Where will my site be hosted?

  It’s very important that you know where your company’s site is hosted. Your hosting provider will manage your hosting Service Level Agreement (SLA), which dictates guaranteed uptime, server maintenance, and server resource allocation. If you don’t know who is hosting your site, you may not know how much uptime and bandwidth you’re working with, which can lead to website performance issues. Low-end hosts will often collect all their websites under the same IP address as their server. Sharing an IP address with some less-than-reputable websites can get you blacklisted, or worse.

• Who has access to the host server?

  If you know where your site is hosted, do you know who can log in to the host server and make changes? If something goes wrong, you need to know who to contact — who can log in and fix issues with the server. A host server login is basically the master key to your website, and should be treated with the same level of care as the key to your physical business. The person managing your website should know exactly who has access.

• Who will manage the registrar for my domain and who has access to the registrar?

  Because a domain is such a cheap purchase, a lot of businesses don’t appreciate what a critical system it is. If someone gets access to your domain registration, they can easily take down your entire website. Registrar access should be kept to an absolute minimum.

• Who will manage the DNS settings for the website and who has access?

  The DNS is like the switchboard for your IP address. It allows browsers to locate your website, and facilitates all the traffic you get on a daily basis. With website DNS, there are a lot of moving parts to manage, and most of the time DNS settings will be managed by an external supplier. As with the registrar, DNS access should be kept to an absolute minimum.

• Can we deploy a staging site?

  A staging site is a copy of your live site that is deployed on a hidden or private URL that only you and your web team can access. This lets you perform more complicated maintenance tasks as well as do add/test new features or content without disrupting the live site. This is essential for almost all websites except the most basic WordPress sites that use very few plugins and have no ecommerce or 3rd party applications/integrations. A good web host and web maintenance team will offer this as a standard feature.

Site Performance

• How will I know that all my contact forms are sending and receiving properly?

  Forms capture information and submit that information to your company, either as an email or via a CRM. The process usually requires communication between a web server and an internal mail server. As web experts, we only control the website server. IT people will have access to the internal mail server. When we’re developing a website we often have to work with internal IT staff to test contact forms and ensure that the information is being sent and received correctly.

• What do you do to ensure my site is online as much as possible? Do you have an uptime guarantee?

  No host can guarantee 100 percent uptime. Even the best hosts can only promise about 99.99 percent uptime, which still amounts to about an hour of downtime every year. A host with no specific uptime guarantee may not be a good host because they may not be doing everything they can to ensure your site stays accessible. But a host that promises 100 percent uptime is lying to you. Good hosts use a variety of strategies to minimize downtime, such as setting up browser caching, and using a CDN to distribute traffic rather than creating a server bottleneck. At WordZite, we use both of the above, as well as some uptime monitoring tools that alert us when a website goes offline for more than 5 seconds.

• What do you do to ensure my site is loading quickly in all the markets where I do business?

  The first part of this is making sure that your site is well-developed. Sites with a lot of plugins and extensions — that is, excess code — or a lot of images and videos will load slowly because they require more server resources. Sites hosted on older, smaller servers with fewer resources will also load slower. Even sites on well-maintained servers might load slower if they don’t use a CDN to distribute traffic loads. We take all these factors into account and do everything we can to mitigate these pitfalls.

• Do you monitor for speed and load time?

  The first part of this is making sure that your site is well-developed. Sites with a lot of plugins and extensions — that is, excess code — or a lot of images and videos will load slowly because they require more server resources. Sites hosted on older, smaller servers with fewer resources will also load slower. Even sites on well-maintained servers might load slower if they don’t use a CDN to distribute traffic loads. We take all these factors into account and do everything we can to mitigate these pitfalls.

• Who will test the site after it’s completed to ensure it’s working properly? Do I have to pay for bugs or issues to be resolved?

  We have a well-established and thorough quality testing process that we use on all of our sites prior to launch. We also monitor live sites continuously for any post-launch issues. All at no extra charge to you.

Site Security

• Does my site have end-to-end encryption? What type?

  End-to-end encryption is incredibly important for keeping your business secure. It’s simple to check if you have end-to-end encryption, through an online database or your web host’s SLA. The two problems we tend to encounter with encryption are: a) it’s not set up properly, or, b) the server is using an outdated SSL certificate. Outdated SSL or TLS certificates represent a major security vulnerability for your website, and need to be kept up-to-date.

• How frequently do you perform antivirus and malware scans? What actions do you take if you find an issue?

  We run daily antivirus and malware scans for all our sites. If one of our scans finds an issue, we have a number of tools at our disposal that we can use to lock down the site, investigate, and isolate the issue. Sites that we have developed almost never run into these types of issues. For sites that we’ve inherited, we sometimes run into issues caused by vulnerable third-party plugins or outdated WordPress core files. Luckily, issues stemming from these types of vulnerabilities are easy to spot and fix.

• What do you do to secure the site’s database?

  A secure database hinges a little bit on how well the database is set up in the first place. We have some standards in terms of which types of web hosts we do and don’t use, and how their MySQL databases are set up. If there’s any weirdness going on — such an old version of PHP or an unusual MySQL configuration, we don’t touch that server database. In terms of maintaining a secure database, we ensure that access is restricted on a need-to-know basis, and that passwords are strong and kept secure.

• Do you have a firewall? How is the firewall configured?

  Most IT people are familiar with network firewalls but not web application firewalls. Our firewalls (WordFence and Cloudflare) primarily address traffic coming into the website (not out). These firewalls can be configured to look for suspicious user behaviours, or to block entire IP addresses or regions of IP addresses. We also configure our firewalls with caching and compression settings to optimize website load times. Configuring firewalls can be a finicky task, and too much or too little restriction in any particular direction can cause more trouble than good.

• Are you set up to handle a DDos attack? What do you do if a DDos attack occurs?

  We have to admit that we rely pretty heavily on services like Cloudflare to handle those DDoS attacks. If and when a site gets attacked, Cloudflare is on top of it almost instantly. We can flip that switch, lock down the site, and severely restrict traffic until the attack has subsided.

• What do you do to protect my website files, folders and code from unauthorized access?

  We have change monitoring in place for WordPress files and folders. If something gets changed and it’s not by one of the website admins, we get notified immediately. We lock down the site, figure out what happened and how it happened, and then roll the site back to a safe backup.

• Who do I contact and what do I do if there’s a major issue with my website? What actions do you take?

  IT departments may or may not have a formal ticketing system, and they often don’t have escalations in terms of priority. We know that certain issues take priority over others, and so if a major issue ever were to arise, we can lock down your site using firewall settings, locate and isolate the issue, and have it fixed — often before you even know it’s occurred.

Monitoring and Alerts

• How will you know if my site goes offline?

  This is a really important question to ask. You don’t want to be in a position where your website is offline for hours, days or even weeks and not know. You definitely don’t want to be one of those companies that waits to get an email from a customer or client telling you that your website is offline. An uptime monitoring service that sends alerts to a technician (or even better a ticketing system used by multiple technicians) is critical to your success.

• How will I know if my website is loading quickly for all of our users?

  Uptime and load time are two sides of the same coin. But, they are often caused by totally different things. A site can get slow for multiple reasons which we cover in this blog about speed optimization. You need to make sure you have a service in place the benchmarks your site speed and that you have properly configured the server, firewall, caching, compression, etc to perform at their absolute best. A lackluster response here is almost guaranteed to lead to your site loading slowly at some point in the future.

• Do you have a ticketing system to track and manage issues?

  This is really important. The last thing you want is a major outage or critical event to take place and be relying on one person’s email inbox to manage all the communication around one or more critical and time sensitive issues. We have a robust and sophisticated ticketing system that we use for our business which multiple people on our team have access to and monitor. It’s essential to good customer services and website maintenance.

Backups

• Where are my backups stored?

  A lot of website owners think that having a few backups is enough to ensure the security of their site. But far too often, these backups are not properly tested, or they’re stored on the same server as the website. If something were to happen to fry that host server, you would lose everything — your website, and your backups. A lot of hosting providers offer backup services, but if you’re only using the backup service provided by your host it’s very likely that it’s stored on that same host server. You need someone experienced with web servers who can ensure that your backups are functional and stored securely in another location.

• How frequently are backups taken?

  We take a lot of backups. During heavy development cycles, we’ll take backups multiple times a day. For our active, developed websites, we take backups at least once daily. Some plugins may only take a backup once a week, or even less. If a bug arises and doesn’t get noticed for a week, you might lose a lot of data restoring your site to a backup that’s two weeks, three weeks, or even a month old.

• How many instances or backups of my site are stored?

  We store at least 90 days worth of backups on a separate server from where our websites are hosted.

• How long does it take to restore a backup if needed?

  At WordZite, we have a streamlined restoration process that allows us to restore a site to an earlier version in about five minutes. We also test our backups regularly to make sure that each one will work as needed. Someone with less experience might take several hours to restore a backup — can you afford that kind of website downtime?

Forms, Content + Spam

• What do you do to protect my content from plagiarism?

  The unfortunate answer is that plagiarism of written content is a challenge to mitigate, and is nearly impossible to eliminate entirely. We do what we can by adding attributes to images, preventing right-click saving, and enabling hotlink protection. This makes it more difficult for would-be thieves and plagiarists, and will deter a fair chunk of them. But ultimately, if someone can read your content, they can also steal it.

• How do we prevent spam comments on our blog, and spam forms submissions?

  An IT person will be good at dealing with email spam. But they likely won’t have much experience dealing with spam in websites. Comment spam is increasingly rare, as more websites take to social media to engage with customers. With forms submissions, we work with IT professionals to make sure submissions are sending correctly and that filters and firewalls are blocking only genuinely suspicious submissions.

SEO

• What do you do to ensure Google doesn’t scan my site and find some errors or issues which will penalize my rankings?

  It’s very rare for Google to find an issue that we don’t already know about. Our monitoring tools will alert us to an issue much sooner than Google’s spiders. We also set up Google Search Console for all our sites so we can see what Google’s spiders are finding and fix any flaw before it becomes a problem.

• What do you do to ensure my website is not added to a blacklist?

  We have blacklist monitoring, so we know right away if your site has been added to a blacklist. Getting a site removed from a blacklist is sometimes a process, as it involves communication with outside parties. An ounce of prevention is worth a pound of cure, in this case, and a lot of what goes into preventing a site from ending up on a blacklist is making sure that your site is hosted on a reputable server.

Updates

• Who will be responsible for updating the WordPress core? How quickly do you perform updates once a new version is pushed by WordPress?

  It’s very important that WordPress sites are always running on the most up-to-date version of WordPress core files, as outdated core files represent a major security vulnerability. We update all our client’s sites as soon as a new WordPress version is released. We have a platform that allows us to update all our clients at once, but we perform these updates manually and always do some testing for our sites to ensure major updates like this don’t cause any issues with installed plugins or existing code.

• Who will update all the third party plugins? How quickly?

  We update third-party plugins instantly — the day the updates are released. We also scan to make sure that deprecated plugins are replaced with equivalent plugins that have robust support.

• Who will update the themes?

  Just like plugins, we install theme updates as soon as they become available.

• What happens if our site has a bug or formatting issue?

  The unfortunate truth is that technology will always need to be updated and maintained. And because of this, we’re forced to accept that errors, bugs and formatting issues can arise following some updates. The majority are usually very easy/quick to fix. But, you do need to make sure that you have a process in place to look for and identify these kinds of issues either manually or using regression testing. And then you need to have the technical team in place with a ticketing system to resolve the issues. Lacking any or all of these items will result in errors and bugs being left live for indefinite periods of time.

Admins + Access

• Who has admin access to my website?

  Quite frequently, websites we inherit will have many different admins and associated logins. With sites we inherit, we make sure to audit all login profiles to make sure that access is restricted to people who need it. We remove unused login profiles, and we make sure that passwords are adequately secure.

• Do you use two-factor authentication?

  We use two-factor authentication for all our logins. This is something that most IT people will be familiar with, and they’ll be able to tell you how important it is.

• Who will take responsibility for managing the users and all the settings that control idle time, passwords, etc?

  As website experts, we can work with you to determine what kinds of idle time and user kick settings might be helpful for the kind of work you’re doing. As a business owner, though, you’ll know best who needs access. We highly encourage strong passwords, setting up a password manager, and using two-factor authentication. Human error is probably the number one source of IT issues, and that’s why managing users is so important.

Conclusion

If you read every word of this article, then you are probably in the top 1% of website owners on earth who genuinely care about their website’s security and performance. We commend you and thank you for taking the time to make the internet a safer place for all of us. Needless to say, if you have any questions or need any help with your own WordPress website, please don’t hesitate to contact us