Tag: security

We previously looked at what it means to extend WordPress via plugins and custom coding for enterprise websites. However, this is only a small part of the “battle” when it comes to working with enterprise websites.

The 5 Key Aspects of Enterprise WordPress Hosting & Maintenance

Enterprise websites are never “set it and forget it” properties. They need to be regularly backed up, monitored, updated, and maintained.

Use this post to do an audit and determine if your site is on stable ground.

There are many great solutions out there. We carefully tailor a hosting setup for each client that involves sometimes dozens of tools working in harmony to create an optimal hosting and maintenance setup for WordPress.

1. Hosting Security

It all begins with a properly architected server setup. This is basic – just like having deadbolts on your doors and locking your windows.

Things we look for (and provide) in our enterprise WordPress-specific hosting:

• SFTP access
• Fully-segregated hosting accounts
• SSL to secure your site traffic
• Malware scanning
• Firewall (WAF)
• 2 factor Authentication

Security Practices of Major WordPress Hosts

• WPENGINE
• Pantheon
• Pagely
• WordPress VIP

2. Keeping WordPress Updated

The biggest security risk in WordPress is not having the codebase updated to the latest versions. This includes the WordPress core, plugins, and the theme. In recent security reports, the majority of WordPress-related hacks are due to sites using outdated versions of WordPress or outdated plugins that have had vulnerability patches publicly available for well over a year.

We use site management tools that let us update all our client sites at once and within minutes of a security patch being released.

3. Regular Site Maintenance

In this case, for “maintenance” we’re not referencing retainer-type work where active feature improvements are being made to the site. Think of maintenance as the aforementioned regular updates being performed but with a careful eye to making sure the site keeps working as it should.

Conflicts are pretty rare but in an enterprise-context, a key feature failing could mean serious lost revenue or at a minimum a black eye on the brand reputation.

We use a brilliant plugin called Stream that is basically a black box for WordPress. It records all the stuff that happens on the backend of the site. This is really useful for tracing back what went wrong. It let’s you see who-did-what-and-when.

Scheduled and Quality-Assured update intervals

A security update should usually be applied immediately. Non-critical updates and feature releases are better applied at set intervals (like once a month or every two weeks) That way these can be done on a staging site, or when the site has low traffic. Once a batch of updates is applied it is then efficient to go through an extensive QA list to ensure the sites look and functionality is still perfect.

Tip:
Do you have a staging area that you’re able to test your plugin updates to make sure everything is going well before running those updates (or migrating your staging) on live?

4. Site Backups and Restoration

Regular, full, off-site, and redundant backups need to be maintained with the ability to restore a site at any point in time.

If something ever goes wrong you need a quick way to restore! 

How often a site is backed up will be dependent on the type of site you’re hosting. For example, a corporate blog with daily posts would probably be adequately served by a daily backup. However, a high-volume, e-commerce site really needs a real-time backup solution to protect a complete list of customer transactions.

We use a couple backup solutions but at a minimum we utilize WPENGINE’s daily automatic backups.

VaultPress has a great real-time backup feature for business-critical / E-Commerce sites. Additionally there is constant malware detection and this is a sweet deal.

5. Keeping a close eye on the website

For enterprise websites on WordPress, there are four types of monitoring:

• Uptime monitoring
• Security monitoring
• SEO / Analytics
• Performance / Speed

Uptime Monitoring

For uptime monitoring, the aim is always 100% uptime. But we live in a very complicated world with many moving parts and human error. (see recent Amazon S3 downtime due to a wrong keystroke)

Uptime Robot is a good monitoring tool that lets you send alerts to emails, texts to phones, RSS, updates in Slack, etc.

Security Monitoring

We use a combination of tools but an absolute key is to have the site being tracked in Google Search Console. This is free and it will email you if your site is ever suspected to be compromised. Google is very careful about sending search traffic to malware-infested sites. (Pro Tip: connect Google Analytics and Google Search Console).

If you are needing a one-off check to see if your site is clean, try the Sucuri SiteCheck tool.
Sucuri also has a good plugin to manage WordPress Security

SEO / Analytics

There are tons of great tools and ways to do this. (Google Analytics of course) Analytics and traffic measuring tools can also be used to alert you to all kinds of problems with your site being down or having malware.

Being able to see keyword rankings can also be key to monitoring the site’s ongoing success.

Performance / Speed

It isn’t enough to know that your site is up – it also needs to be loading quickly! We have alerts to head off any issues if a site starts loading sluggishly.

A good quick test for site speed is the Pingdom Website Speed test.

WordPress can be a great tool for enterprise needs but it must be hosted correctly and properly loved! Have a question or something to add? Comment below…