Large or small, your WordPress website requires some level of defensive features regardless of how tech-savvy you are. The more your business relates to your website, the stronger its security level has to be. Otherwise, you’ll be in trouble if hackers gain control of it.

Security isn't the cherry on top, it's the cake.

Given the abundance of security tips you can find online, though, you might be fooled into thinking you can handle security on your own. And to an extent, it can be true if you have some technical knowledge. Yet, even some developers or tech-savvy WordPress users fall short on advanced security techniques.

That's why I asked an experienced WordPress security expert more about the needs and processes related to security and why, most of the times, it is best to entrust the task to professionals.

The main topic I'd like to dig into is: how can a security expert (really) help you out?

Let's dive in!

Help configuring security plugins properly

WordPress is known for the level of customizations it offers. Plugins exist for almost every function possible so is the case with security. You just add the plugin and voilà! It handles all the work for you, provided that it is configured properly. This is where a professional comes into play. WordPress developer and Codeable expert Liam Bailey explains:

If the user doesn't know how to properly configure security plugins, then they're not going to do the job properly. In that case, they'd hire a professional to come in and make sure that they configured the plugins correctly for them to give them the maximum security that these plugins are able to provide.

Configuration of such plugins done right is the baseline to an effective protection.

Conduct a security audit

A security expert knows where and how to look for potential vulnerabilities. It's their job. They can be called in to conduct a security analysis, known as an audit, for your website to ensure you're protected from all sides. Liam elaborates:

For websites that are handling large numbers of traffic or handling credit card numbers and sensitive information, or that have a large userbase of users with logins and such, it's a wider net cover, a harder site to protect. A security professional would come in and do a comprehensive audit on that site. It's a security professional's job to know all the types of attack that a site will be vulnerable to that necessarily the layman wouldn't even need to know what they were. There's a cross-site request forgery attack, for example, cross-site scripting, man-in-the-middle, SQL injection, session hijacking, brute-force attack and many more.

Vulnerabilities depend on the nature of your website

The nature and popularity of your website plays a vital role in determining the level of threat or risk that it is at. Specifically, no one would be interested in hacking your site if, for example, you're just showcasing your work or are a cooking blog. If there's no sensitive information you site's handling, you probably could call it a day by installing security plugins, to be honest.

However, if you're running an eCommerce store with a large customer base, vulnerability concerns are significantly higher. If you are handling sensitive information and you do have something you want to protect, then you really need to be trying to break your site. And that's where a security professional comes in handy:

Things online are basically insecure. There is a way into most systems and most things, and if you don't have a professional looking at these things, then you are leaving yourself vulnerable. For the average WordPress site, the vulnerabilities can be there, but they might never be found because nobody's ever tried to exploit it. As long as everything is updated, and you have security plugins to secure against 90% of attacks, you'll be fine. But if there was, say, a site sale and stuff, and it had money going through it or personal information, the same vulnerability would be there and it would, of course, be exploited because hackers would be trying to gain access to that site in a much more persistent basis. So the vulnerability would be found and it would be exploited.

Finding these vulnerabilities is a technical aspect that goes way beyond setting up a security plugin. Because of that, most people can't do that themselves and that's when they would hire a professional.

Security has to be top of mind when your website features custom code

Things get a bit scarier here yet they're super important to be aware of.

When you're hiring a developer who's not a security expert to build a custom theme or plugin from the ground up, it'd be a good idea to get the code checked over. In fact, the possibility for them to introduce new vulnerabilities, without even knowing they're doing it, is there.

That doesn't mean each developer has to be a security expert to deliver secure code. Following best practices, good procedures, along with up-to-date software will prevent the vast majority of possible scenarios.

My point wants to highlight how easy you could get exposed to vulnerabilities, even for standard and well-known procedures (as working with a developer to create custom code). Liam puts it this way:

iThemes Security can protect against attacks that we know about and the main flow of attacks that you will be vulnerable to. But for every vulnerability that is known about WordPress, somebody's had to discover that. So your site could be vulnerable to a vulnerability that nobody knows about. It's a security professional's job to come in and check your site over, making sure you're not vulnerable, that the plugins that have been installed aren't doing something, they aren't possibly conflicting with each other to make a vulnerability, or a plugin that gives or takes data isn't leaving you vulnerable to SQL injection attacks and such like.

Penetration testing

Large websites handling lots of sensitive data are strongly recommended to perform penetration testing. This process involves hiring a security professional who acts like a hacker to identify potential areas and elements from where someone might break into your site. Liam explains this:

A penetration tester will try the full range of attacks on all the areas of your site where attacks might be possible, like every form on your site, they'll try every input field to make sure that it's not going to be exploitable by SQL injection, for example. Even better they will use the same tools the hackers use for scanning and finding vulnerabilities, so it won’t be as time-consuming as you may think but definitely worth the money.

What are the typical investment costs for improving a WordPress website security level?

As with this type of questions, it's hard to give a one-size-fits-all answer because there are many elements here that pile up for the final price. The main ones are:

  • Type of website (standard vs handling transitional/sensitive data).
  • Size and traffic.
  • Number of pages, elements, and areas.
  • Quality and quantity of custom code.
  • Level of security required.

If we split the world of WordPress security into two, where setting up correctly a security plugin on one end and a more complex task such as a full penetration testing on the other, we're probably looking at $200/$250 for the former to a minimum $2k/$2.5K and up for an in-depth professional penetration testing. In Liam's words:

It all depends on the site, the number of pages, but also how popular the site is: if it's a big brand name, they can attract hackers more easily and frequently. Depending on the number of pages, the number of databases/database tables, files. It will also be related to how many of the things there are to check against. But yeah, it would certainly run in the thousands of dollars for even the average site to do a full penetration testing suite.

Wrapping up

If your business depends on your WordPress website, getting hackers taking it down would cause major issues. And that's not only for eCommerce owners but that's also true for many other business websites where you don't sell directly anything to your clients other than "yourself". Can you imagine if hackers could take control of your personal website where you display your portfolio, and they just start messing with it and redirect it to porn pages? What happens when your prospects will start googling your name and click on it?

What I'm trying to say is:

You don't have to be Amazon-big to start thinking about security and acting proactively. Now is the best time to improve it.

If you think you have the skills to improve your WordPress website's security level in a proper manner you might, of course, do it yourself. However, be warned that failing to configure the plugin correctly or update any part of the website in the wrong way could mean disaster and end up costing you a lot more than hiring a professional in the first place.

At the end of the day, if you didn't raise your eyebrows when reading "penetration testing" above, you might have a good working knowledge around security and can probably take care of it on your own. If, on the other hand, you fall outside this category, you're highly recommended to get help from a professional because:

You would hire a security professional to really give you an extra layer of robust security or, if you're a complete layman, to put the security in place for you.

This blog post features Liam Bailey who is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.