WordPress Website Security here at Wealthy Affiliate
Our agency provides security services for a few of our clients. Over the years we have fixed many hacked websites and installed security measures to protect them.
One of the primary guidelines we adhere to is that "a layered approach to security is the best policy".
During my first few months here at WA, I have seen many posts from users with questions about the security used on the SiteRubix platform. I have seen replies from Kyle that the security implemented for WA websites is the best and "no other security plug-ins are necessary". In one reply, it was even stated that "adding a (WordPress) security plug-in may actually cause problems".
This has raised many questions in my mind. I have also communicated with other users that are confused by these statements. So I would like to use this post as a shout out to Kyle and Carson about several, security related questions.
Here we go ...
What security is implemented on the WA Infrastructure?
I have been impressed and happy with the level of security my own sites receive here at WA. I know that this system is built on the AWS Cloud and I am very familiar with the security option available through Amazon.
My guess is that this is a WAF (web application firewall) that is doing a great job of blocking rogue traffic and a majority of the attacks that might be attempted.
Could someone elaborate more on what is in place and how this protects our websites?
Why would a Security plug-in cause more problems?
There are a few security plug-ins I would advise everyone to stay away from. These are either redundant or a drain on resources. The one I have found so far are:
- Any plug-in that is primarily a WAF like the WebArx product
- Jetpack - Too resource heavy
But there are other security plug-ins that I feel would compliment the security here at WA.
Personally, I use iTheme security plugin. I do this because it adds security measure that cannot be applied from the infrastructure such as:
- Password strength for all users
- An "Away Mode" that blocks access to my wp-admin area during the hours when I am asleep
- A blacklist for blocking bad users and computers - this can be applied with infrastructure too
- Monitoring of file changes
- Blocking of images with hidden PHP code in them
- Network and Local brute for protection - infrastructure might have this
- System & WordPress tweaks
By using a security plug-in that provides these sorts of features, I am in effect improving the security of my website and complimenting what has already been put in place.
Does anyone agree with this approach? Or is there something else about the WA configuration that is not shared with us that makes these measures unnecessary?
A Clear Security Guideline
It would be very valuable (at least for me) to have an official statement from Kyle and/or Carson on these questions. It would also help to have a published security guideline that we can all refer to and use on our websites.
This would reduce the number of conversations about WA Security. It would allow us to implement additional security that compliments the current system. Or not to implement any additional security so as not to create new security holes.
Any guidance on this matter would be greatly appreciated.
Recent Comments
7
Eric,
I think WA provides us with good security and honestly
they protect the member's personal information even
more than our websites - cyber hackers are everywhere
and you know they love a challenge so in any case we
already know that no matter what there will always be
someone trying to hack into something somewhere if not
here then elsewhere.
These are just the facts we live with today by them
providing us with a security statement or policy most of
us are not going to understand it anyways :)
Thanks for sharing your opinion,
Susan
Hi Susan,
I can certainly understand your position. But as I am asked a lot by other members, I thought it would be good to get this out there anyway so that we all have a reference. Even if it is not entirely understood.
However, given the skill that Kyle and Carson have at taking a difficult topic and making it easy to understand, I am confident that, if they do respond, it will be beneficial to all.
Thank you,
~e
The fact is my WA-hosted site was hacked. So I am not sure WA security is the best.
More information would be beneficial in providing peace of mind that WA is doing all they can to provide a secure hosting environment.
Besides knowing more about the security arrangements would help us take additional steps to secure our sites.
See more comments
I agree with Susan. If WA's security isn't enough I doubt that a plug in would make it any better. But, having said that I do make sure I complete backups on a regular basis, even if WA does it for us. Jim