With so many WordPress security products and services available today, many business owners simply don’t have the time to sift through each one or learn about the unique cybersecurity needs of their company and industry. We’ve created this list to help you understand what kinds of services are best suited to different business categories, and what you should look for in a web security service.
To accurately compare the many WordPress security offerings out there today, it helps to segment the market into four basic categories. Which security offering will be right for your company will depend on what category your business roughly fits into.
Think of a family-owned business with fewer than 10 employees. It’s not publicly traded, and it serves just the local community or region. It has no ecommerce functionality, rather, it’s a marketing tool and a method for capturing inquiries and sales leads.
These days, most owners of even small brick-and-mortar businesses like this will recognize the need to have some sort of online presence, but the process probably starts and ends there. We often see this type of business website in the form of a cheaper WordPress website, assembled by a friend, family member, or inexperienced freelancer. A lot of these sites are designed, or at least intended, to be set-it-and-forget-it.
The biggest security issue we see with these kinds of sites is that they are neglected. A neglected site that isn’t updated or backed up regularly is more likely to become vulnerable as developers release new versions of the WordPress core, third party plugins, and themes. It’s not uncommon for the original developers of plugins and themes to abandon their old products leaving deprecated and unsupported code in the site. This results in a myriad of vulnerabilities for these “set-it-and-forget-it” websites.
With a business like this, there’s usually no web expert working at the company. Someone might go in and update the plugins occasionally. But, the site is likely not monitored at all. And since the website isn’t a huge aspect of day-to-day business activities, bugs or vulnerabilities may go unnoticed for long periods.
Security services that appeal to this type of business are essentially emergency services. Since minor security concerns may go unnoticed without regular monitoring, these businesses will likely need a reactive solution to a major problem. Maybe the site has been hacked, or has developed a critical error — for example, the WordPress or PHP version that it’s running on is so outdated that it’s no longer supported.
There are large agencies out there that provide these types of turnkey security services, and these agencies are very good at responding to website emergencies quickly and relatively cheaply.
The technicians working for these companies are highly skilled, but these types of solutions are intended to be quick and dirty fixes. A turnkey solution will restore your hacked site to a usable state, but it won’t rebuild or reinforce your website. With website security, the tricky thing is that every aspect of a website is so interconnected that it’s very difficult to remove one thing without affecting 10 others. It’s not like pruning dead leaves off a tree — it’s more like performing delicate surgery.
So, these agencies will fix the immediate problem, but they won’t be able to address the root cause, which is a lack of proactive maintenance and monitoring. This makes for an expensive fix for an issue that is likely to happen again.
In some cases after a website scare like this, a business owner will decide to pay for a subscription or a security plugin. This isn’t completely useless, but it definitely doesn’t fully secure the site. It might take your website security from 0 percent to 30 or 40 percent. But that still leaves a lot of room for problems to arise. Website security is so complex, you’re never going to have a plugin that does 100 percent security. At least, not until we have artificial intelligence in place at a price that’s accessible for small businesses.
This business might have dozens or even hundreds of employees. They’ll primarily serve the local region, but they may also do interprovincial or international business. Typically, a medium-sized business will be making 5+ million in annual revenue, but they’re probably not publicly traded, and for the purposes of this comparison we’re assuming they don’t operate in a regulated industry.
Websites for mid-sized businesses are usually a bit more sophisticated than those of local businesses. A company like this will likely have contracted an experienced web designer to build the site, and the site may get moderate levels of regular traffic from various traffic sources including paid ads, social media, and organic rankings.
This type of business will likely have some internal policies or board regulations dictating how they need to secure various tech assets like computers, software, and websites or social media profiles. Because their business is more tech-integrated, they’ll usually also have an internal IT person or a third-party IT supplier.
A mid-sized business will probably be thinking about web security more proactively, before it becomes an emergency. We often see businesses in this category evaluating their website security as part of an internal review or due diligence process.
Executives of mid-sized businesses understand the potential costs of their website crashing or getting breached. In most cases, they also understand that a 10-dollar plugin is not sufficient for their website security.
Medium-sized business owners should look for a digital agency that’s focused on website security, or that employs people who understand security in depth. The challenge is that if these executives go shopping in the marketplace for this type of provider, they’re going to run into a lot of agencies that have basic security offerings, and the executives may not have the experience to weed out the ones that have only a surface-level offering.
There are plenty of top-tier agencies and or web hosts out there offering basic security services like backups and updates. An executive at a mid-sized company may not realize that, although they may be worth more than a plugin, just backups and updates are not enough. A truly secure website also needs much more, including (but not limited to) firewall(s), off-site backups, uptime monitoring, load time monitoring, encryption, database security, admin security, two-factor authentication, and advanced error logs.
The other potential downside to many top-tier web hosts is that better security comes with major constraints imposed by the hosting provider. To streamline their operations and keep client security needs consistent, they’ll limit the client’s abilities and freedoms as far as editing, configuring, and running their website. There is no point in securing a website at the expense of functions the business requires or integrations with a CRM, ERP or other operational software. And there’s also the tricky task of configuring the DNS to play nicely with all of the existing IT infrastructure.
In lucky circumstances, businesses like this have great IT people who can recommend a really good agency with in-house technicians who can actively manage websites and clients. Those IT people going the extra mile can help the client relate to someone in the industry who really understands the ins and outs of WordPress security.
Ecommerce businesses may or may not have a large number of employees, but more importantly, they have a significant product inventory, and most (if not all) of their revenue is generated through online sales. This type of company probably does business at a larger scale if not internationally.
With ecommerce businesses, the website is the most important part of the business. As such, an ecommerce website will get large amounts of traffic, and it will be quite complex, with a large product catalogue; search functionality; a customer registration database; and order management and payment processing capabilities.
Ecommerce is challenging because these sites require an additional level of security, above more “informational” websites that don’t have sales portals. Along with backups, firewalls, and monitoring, ecommerce sites need to be able to handle secure financial transactions, and all customer information requires strong encryption. The other tricky thing about ecommerce sites is that, while they tend to be fairly robust, they have built-in plugins and custom functions that top-tier hosting companies don’t usually like to work with.
Ecommerce websites need more nuanced solutions. This can mean custom firewall settings that are integrated with the CRM, for example. It’s a lot of work to get this type of website set up and functioning correctly. There’s no turnkey solution on the marketplace that will fit. With present solutions, it can take several weeks to have technicians comb through the whole site, so for these businesses, an ounce of prevention is worth a pound of cure. Consulting a security expert while you’re setting up your website, so you ensure the right security features are built in from the start, can mitigate a lot of risk.
This final category covers organizations in industries such as finance, transportation, healthcare, and utilities. These could be individuals or even large, publicly-traded organizations. The key element here is that they have rules, policies or regulations that they must comply with. They will likely have a dedicated regulatory board and well-established internal procedures for things like IT and website management.
Websites for these types of businesses are usually large and high-traffic, with numerous pages. They may not sell products or services, but they will have complex information hierarchies and navigation. The main concern with this type of website is that the web design and security measures must meet regulatory requirements for a given industry and regional government. This type of business should always have an in-house IT department.
Businesses in category four have the strictest security and performance reporting standards of any type of business, and therefore present a unique challenge to security agencies.
Hopefully, a business in this category will have an IT department that understands the differences between IT and web, and in the best cases, can connect the company with a reputable web security provider. These businesses will need highly complex and customized security solutions — at WordZite, if we determine that we are a good fit for a company such as this, we have to work closely with these clients to determine how our security offerings may be tailored to best support their policies. We need to put together a customized plan, complete with the understanding of how to stay out of the way of their IT department.
There are likely domain credentials and other sensitive logins that we can’t get access to, so we have to work with company stakeholders on an ongoing basis. There is no turnkey solution or plugin for this type of security, and even the best web design and hosting agencies are often not equipped to deal with security at this level. You need a highly skilled and experienced web security agency that specializes in cybersecurity at this level — of which there are only a few in the world.
If you’re having trouble with your website security, whether due to an emergency issue or a proactive review, we’re happy to meet with you and discuss options. There’s a very good chance that we can provide you with a lot of the services you need to keep your business and your website secure.
You can also rest assured that if you are not a good fit for WordZite, we will let you know. As knowledge leaders in WordPress website security, we understand that appropriate web security for each business benefits all of us, so we will happily refer you to an agency or expert who is better qualified to handle your needs.