Drupal & Wordpress Security

Securing Your Wordpress or Drupal Website

By Scott.Jeter, December 1st, 2022
Good To Know

No one wants to be hacked but you see it in the headlines all the time. While you may only hear of larger corporations getting hacked, it happens to businesses large and small. Keeping your business secure can be a huge task in today's digital world, but you can take some relatively simple steps to start protecting your business. 

Security is a broad topic and this article is only focused on the basics of securing your website. Sorry security experts, this article isn't for you. If you are a business owner considering an online presence or managing a website, read on.

Frequently, the back-door hackers use to gain access to your data is through out-dated software with known security flaws. It's a constant race between hackers exploiting vulnerabilities and software developers patching them.

Websites using WordPress, Drupal, or any one of the Content Management Systems (CMS) out there need to be vigilant with routine security updates. Thankfully, Wordpress & Drupal have a large community of developers committed to keeping these platforms secure. Of course, none of this does any good if the websites running these platforms don't apply updates as they become available. If you are a business owner with a website or a manager of a website, it's up to you to make sure these updates are applied in a regular and timely manner.

Notice the emphasis on "regular and timely." If you remember, this is a race. From the moment a vulnerability is discovered the hackers will try to find ways to exploit those vulnerabilities. The sooner you apply the updates, the better.

If you have a WordPress website, making updates to WordPress and your plugins is as easy as clicking a button. You can even turn on automatic updates so your website will update itself. The trouble with automatic updates is it's a double edge sword. It allows you to put your website on auto-pilot, but if there is an issue, no one is there to notice let alone fix it. What's worse, you may not know what was updated to give you a clue how to fix your website. Depending on how bad the issue is, you may need to restore your website from an earlier backup, assuming you have backups. Yes, it can get pretty messy from there. The good news, WordPress core updates almost never have issues. The popular plugins are also pretty reliable with updates. The lesser know plugins with a small install base, are usually the plugins to be more cautious about. You can learn more about updating WordPress on their website.

If you have a Drupal website, making updates is easy for developers but not as easy for the casual user. You can update contributed modules through the Drupal interface. However, Drupal core updates need to be updated manually through FTP or through the recommended method using Composer, a command-line tool. Composer makes updating your Drupal website easy, but is a tool typically reserved for developers. You can learn more about updating Drupal on their Wiki.

With a little bit of time and effort, anyone can learn how to keep your WordPress and Drupal website patched with the latest security updates. If you don't have the time to stay on top of the updates, you can always hire a web developer to manage the updates for you.  Either way, keeping your website security updated is an important first step. Of course, security doesn't stop there.

To keep your website secure, consider the following:

  • Create a Password Policy - including unique accounts for all users, strong passwords, etc.
  • Use Multi-Factor Authentication (MFA) or 2-Factor Authentication (2FA) - this goes a long way in protecting your accounts, especially for admin level accounts.
  • Firewall and Virus Scans - both WordPress and Drupal have plugins / modules that provide extra protection. WordPress in particular will benefit from using a plugin such as Wordfence.
  • Encrypt Your Data - if you are storing sensitive information, like personally identifiable information or payment information you may be required to encrypt this data by HIPAA and/or PCI compliance. 

Interested in learning more about what you can do to secure your website, give use a call at (802) 214-2566 or use our contact form.