How We Monitor Your WordPress Website for Security and Performance

Each one of our clients is very important to us, and keeping your websites safe, secure, and accessible is our top priority. Let me share with you some of the ways we go about making sure your WordPress website is protected from potential security threats.

We prefer MediaTemple’s DV Developer hosting for our clients’ websites because the service allow us to completely control the servers’ security. When setting up these servers for our clients, we use the process I described in this blog post to make sure we don’t miss anything and can be sure that the correct security procedures have been followed. We always use password generators like StrongPasswordGenerator.com so that our clients’ servers and user accounts are safe from Dictionary (brute force) hacking. We also recommend that our clients use similar services for their own passwords (our company recently began using the Enterprise version of LastPass, which is a password management service that helps keep track of your passwords for all of your web accounts and can generate strong passwords on the fly).

In addition to the production version of your website we also set up a staging environment, whether on your server or our own. We use HTTP Basic Authentication to limit access (users without the username and password will be unable to even view the instance at all).

WordPress itself is a fairly secure software at its core, and any time a new security exploit is discovered, a patch is quickly developed and released so that websites running WordPress can be safe from attackers. However, we also employ the features of a WordPress Hardening plugin called iThemes Security. We use the free version of the plugin but iThemes also offers a Pro version, starting at $80 (which gets you two licenses; I can’t find a single-license option). This plugin is used to implement lots of security features that aren’t available in WordPress by default. For instance, the plugin lets you change the URL you use to access your WordPress administration control panel so that potential hackers can’t even get to the login screen without being good guessers.

The MediaTemple DV Developer servers we recommend can run WordPress with great speed and performance, but larger sites with lots of content and plugins installed may require extra steps to ensure that they keep running quickly and efficiently. By default, WordPress does not cache its pages so every time a page is loaded some recurring routines are run. However, in many cases the end result of running these routines is the same (for instance, the site title is not going to change very often) so pulling that data from the database every time is inefficient. Also, your theme’s template has to be parsed on every page load, but in general once your theme is in production it isn’t going to change very frequently. To remedy this problem, we use caching plugins such as W3 Total Cache. These store a static version of your site’s that will load much more quickly because a lot of the processing no longer has to be done. If a change needs to be made and reflected immediately, you can simply clear the page cache. This plugin also has other features that improve performance by, among other things, leveraging browser caching and making some of the files smaller so that they don’t take as long to load.

Because we use a third-party service for hosting, we cannot always predict or fully prevent downtime. However, we utilize the UptimeRobot website uptime monitoring service, which notifies us by email and text message when your website cannot be reached for whatever reason. Many uptime services only check to see if the server is responding. We, however, use the Keyword Monitoring service which basically works by notifying us when a predefined keyword or phrase cannot be found on the home page. The benefit of this is that we will be notified not only if the server itself is down but also if there is a server misconfiguration or if a hacker somehow manages to replace your content with his own.

Part of our site maintenance process includes setting up a backup schedule to make sure we always have a recent backup to which we can revert in the case of any unrecoverable issue. For this, we like to use the WPMU DEV Snapshot plugin, which gives us an easy, consistent interface for scheduling updates. We generally set the backup to run automatically once daily in the morning before the start of the business day, but depending on your needs the schedule can easily be changed to run at a different time or more frequently. We store up to five backups on the server so that we have a little bit of flexibility with restoring to a previous backup in case the most recent one has the same issue we’re trying to undo.

When we get a notification about downtime on your website, we first check to make sure that we are also experiencing the issue. In some cases, a temporary hiccup can cause the uptime monitor to report a false positive (i.e. it may say the site is down when it actually isn’t). Depending on the type of issue (server downtime, server misconfiguration, hacking, etc.) we will work quickly to determine the cause of the issue. In the case of server downtime, work closely with your web host to get your site back up as soon as possible.

If your server has been hacked, we will replace the files and database with a recent backup and work to determine the point of intrusion. We also check for any extraneous or suspicious files that might contain malicious code, such as viruses or spyware. These files are removed from the server and appropriate steps are taken to prevent them from showing up again. We then change all passwords (for SFTP/SSH, WordPress Administrator Accounts, MySQL Users, etc.) to make sure that if the attacker was able to gain entry to via any of those access points, he will be locked out again.

The security and availability of our clients’ websites are our top priority, and we work hard so that you can have peace of mind and can focus on your business instead of having to worry about your business’ website. If this sounds like something you would like for your website, we’d love to do it for you! Give us a call today!