Over the past 6-12 months there have been a number of updates to the different elements of are used to display your website. These include PHP (the embedded scripting language), the WordPress platform itself, various plugins created by developers to be used on the platform and the themes which are used to display content.
To ensure your platform is fully supported in these different areas and your website is not at risk from reduced security we strongly suggest updating them. We have prepared cost-effective options to be able to run these updates on your website and also offer core enhancements in areas such as website security to stop malicious attacks.
Do I need to update my website?
WordPress is a very popular platform and one of the biggest targets for hackers. Often websites that do not update their platform and plugins can be left with vulnerabilities. We highly advise updating plug-ins regularly, ensuring your security plug-ins are working effectively, backing up your website when you make changes and maintaining the latest versions of key frameworks.
What’s included when updating?
Updating your website includes an update to the latest WordPress version and PHP 8.
We will also update your plugins and your theme to the latest version, checking that there are no issues with any plugin compatibility with other updates and managing the change smoothly. If issues do arise we will include the fixes within the cost of the upgrade (no additional charges).
Updating your website is charged as a one-off cost and should at least be carried out annually. We recommend that active websites are updated once per quarter and security-focused websites (which hold sensitive data) should be updated every two months or as required following security patches.
iTheme Security Pro
We offer a security package that offers a strong defence against common website attacks. This can (but is not limited just to the below):
- Stop automated attacks
- Monitor suspicious activity
- Strengthen user credentials (2FA)
- Scan themes and plugins for security and vulnerabilities
- Automatically block-out bad users, user agents and IP addresses
Security headers (one-off Installation)
For additional on-page security, we can also implement a high-security script to halt advanced attacks.
This informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. This ensures communications are encrypted and helps to protect against man-in-the-middle attacks.
– X-XSS-Protection, X-Content-Type-Options and Content-Security-Policy:
These tools are designed to prevent cross-site scripting (XSS), clickjacking and other code injection attacks on both legacy browsers and modern browser types.
This stops the ability of a user to embed data inside an iframe into a different site, thereby preventing clickjacking attacks via this method.
This tool gives site owners the ability to enable and disable certain web platform features on their own pages and those they embed. For example, it can remove the ability to download or save items on a web page or disable API features based on permission criteria.
This tool controls how much referrer information should be included with requests. This can restrict the information freely available to people examining the code of a website or scanning for vulnerabilities in specific elements or areas of the website.
Complete vulnerability audit
Often PHP vulnerabilities are shared within the community but being notified of vulnerabilities is difficult when there are hundreds and thousands of open source packages available. Website themes and frameworks often deploy with an open source tool known as Composer. We have built an internal system so that we can keep up to date with Composer vulnerabilities for a particular website on a weekly basis. Should a vulnerability arise, we can then work with the client to understand what the solution is but being aware of these vulnerabilities is the first step and it is always a good idea to be proactive, rather than having to deal with a website that has been exposed to by attack. This is not the same as WordPress and plugin updates.
Regular database and file backup checks
To ensure backups are maintained properly and you always have a working version of your website ready to use in case of failure or attack, we can run regular checks to ensure your database and file backup are not corrupted and all features are working should it need to be deployed.
We will also store this working backup in a secured off-site location to ensure total redundancy in the event of a fire or other natural disaster at the original server location. This approach is in compliance with stringent security measures including ISO 27001.
We offer different frequencies to check backup integrity, this includes 28 days, 14 days or seven days but our system is compatible to whatever frequency you require.
Please feel free to contact us if you need any further clarification on these topics.
To summarise, we strongly advise updating your website to the latest version of PHP, as well as carrying out regular updates to WordPress including your plug-ins. If you are looking to enhance your security and disaster recovery then we also offer additional options. Our packages are designed to be cost-effective and ensure your website is properly supported and well protected against numerous online threats.