WordPress Security for Your .edu Site: Expert Tips to Sleep Soundly

What is it that keeps higher education CIOs up at night? EdTech reports 41% say their biggest concern is security & privacy issues [1]. Security breaches are major problems for organizations and institutions alike, and avoiding them is a top priority of a CIO.

Content managers and security specialists, rest assured: WordPress is a tried and true open-source CMS secure enough to house a website for your college or university.

Powering over 455 million websites in 2021, WordPress is one of the most popular open-source content management systems for websites according to First Site Guide [2]. But its anthem of success may still not be enough of a soothing song to help you rest confident in its capabilities.

So in this blog, we will explore the arguments against WordPress, share what we’ve observed and experienced, and discuss the benefits of choosing WordPress as your content management system.

Counting Sheep: Concerns & Hesitations about WordPress Security

With each of our clients in higher education, we engage in an immersive Discovery where we unearth concerns and questions surrounding the success of a redesigned or reconfigured site. Throughout the years, we have heard these three concerns that keep information managers up at night:

1. Risk of Published Data: Open Source is heavily documented, leaving backdoors open for hackers with malicious intent. When information like this is open to the public, it increases the risk of hackers identifying ways into your website, and it puts data at risk.
2. Insecure Plugins: One of the major drawbacks to WordPress is the extensive library of plugins available, which are often third-party and open-sourced. One might download and activate a plugin with a severe security vulnerability, unbeknownst to the user. Other plugins can be relatively secure unless they are left outdated.
3. Security is provided by 3rd party applications: Often, platforms that provide content management services also provide security as an added feature. This ensures that the documentation behind the security feature is not accessible to hackers that might have malicious intent.

Counting Blessings: Concerns Debunked

While these security concerns do bear weight, it is important to consider how WordPress leverages these components to its users’ advantage:

1. Open source: While some might think that the open-source nature of WordPress permits leeway to devise an attack, this also means that there are some of the smartest minds thinking of ways to prevent an attack. With more and more eyes on potential gaps in security, the less risk of an attack. All of the cryptographic algorithms that underpin our financial and information systems are similarly open standards. This same philosophy applies to WordPress. WordPress core provides all necessary security features to build a secure website, including protection from XSS, CSRF, and Injection based attacks.
2. Insecure Plugins: WordPress states it has 50,000 plugins in its library [3], but not all of them are secure. Luckily, WordPress has clues within its library to let developers know which plugins have less risk than others. For example, plugins that are updated regularly and are compatible with the most recent version of WordPress is a great place to start. The WordPress community also allows for discussions about plugins. Here, users can rate plugins and discuss what worked and what didn’t. From here, developers can make their best judgment on what plugins to select to fit their needs. Reputable plugin providers will update their plugins on a consistent basis and patch security breaches as they see fit. It is up to the website owners and managers to ensure the plugins are up to date. WordPress also provides the option to auto-update plugins as they are released.
3. Security Provided by 3rd party providers: There are several security plugins available in the WordPress plugin marketplace that add an extra layer of security. One of the most popular plugins is Wordfence, which is an application firewall service that protects passwords and blocks malicious-looking requests. According to HubSpot, in the first half of 2021, Wordfence blocked 18.5 billion password attack requests on WordPress websites. [4].

The Case for WordPress

In addition to its security features, WordPress offers many other competitive advantages that set it apart from and ahead of other CMS platforms.

1. Reliability:  WordPress is a market leader dominating the content management system market. Of all CMS websites in the world, WordPress has a 64.2% market share (compared to Drupal’s 3%). Providing over 50,000 plugins, WordPress has first-class capabilities at no cost. These impressive statistics speak to the 20-year history of WordPress’ dedication to expansion, evolution, and excellence. The WordPress core team and ERI-vetted plugin vendors continually release updates concerning security, new functionalities, and improvements.
2. User-Friendliness: Through WordPress, content updates can be made “on the go” from any mobile device due to the responsive design of its dashboard. As web design has become a ‘team sport’ necessitating many touches between key stakeholders, WordPress has crafted an intuitive user experience aimed at ‘decentralizing’ web governance structures. Additionally, the WordPress Multisite option enables users to create and manage a network of multiple websites from a single dashboard. This allows you to easily make changes and keep all of your websites updated from one place.
3. SEO-Readiness: In a ‘noisy’ and ‘cluttered’ digital environment, the importance of search engine optimization could not be understated. WordPress and SEO-focused plugins, such as Yoast SEO, offer top-of-the-line SEO and analytics tools to optimize all web content for search engines and human audiences alike.

In a Word: Why WordPress?

In brief, WordPress offers a decentralized and intuitive experience with a wide range of opportunities for creativity and collaboration when creating and building a new website. SEO, continuous updates, plugin availability, and the large development community make WordPress a premier platform for building Content Management Systems in a diverse range of sectors, both public and private.

The WordPress CMS is continuously updated to ensure excellent user experience and security. View a list of 70+ Colleges & Universities that are running on WordPress

As a CIO in higher education, wrestling with security and privacy concerns can be exhausting. WordPress, an open-source CMS that backs over 455 million websites, is a reliable ally. It’s known for its strong security, regular updates that maintain backward compatibility, and a large, dedicated developer community. It’s simply a practical, confidence-inspiring choice for website creation and management. – Edwin Cromley, Head of Development at ERI.

Our Best Advice: Potential Layers of WordPress Security Measures to Optimize Security

• Host the site on a Managed Cloud Hosting
• Maintain the latest PHP Version
• Lockdown WordPress Dashboard access to only authorized Single Sign-On users, potentially through a VPN.
• Always update to the latest versions of WordPress and plugins. We recommend running updates on the development staging environment first to ensure the site is secure and works as expected before applying them to the production website.
• Set up Two-Factor Authentication
• Enable HTTPS – SSL Certificate
• Harden the WordPress configuration file (wp-config.php)
• Disable XML-RPC
• Hide the WordPress Version # from the public source code
• HTTP Security Headers
• Install CMS Security/Firewall Plugin
• Harden Database Security
• Use secure SSH/SFTP for shell access, including the use of a passphrase, thus requiring both the correct private key of the key pair and the correct passphrase to access the Linux server.
• Ensure correct, restrictive file/directory permissions on Linux
• Prevent Hotlinking
• Set up DDoS Protection with Cloudflare
• Eliminate default admin WP login (do not allow a ‘admin’ username)
• Use nonstandard table prefix for WordPress tables (not wp_)
• Harden Apache/NGINX web servers
• Keep server stack up to date, applying security updates on a set schedule. Ensure that critical updates/patches are applied immediately.
• Strict vetting of all implemented plugins for vendor reputation as well as the risk of security vulnerabilities. Do not use plugins from fly-by-night sources.
• Removal of deactivated plugins/ themes from WordPress.
• Use Wordfence security suite.
• Back up server source files/databases frequently, possibly hourly.
• Multiple backups (hosting scheduled backups as well as ManageWP backups). ManageWP can be more frequent.
• Consider hosting with a provider offering multiple availability zones, providing redundancy in cases where one regional data center may go down.
• Run a security audit of all running code.

If you take one thing away from this article, let it be this: your content management system will never be 100% secure, regardless of the system you choose. If it is on the internet, it is at risk of being insecure.

Most hackers are not getting in through vulnerabilities within the WordPress core, but rather by completely avoidable issues such as having a weak password or not updating their plugins. A report conducted by Sucuri in 2017 found that 39% of hacked WordPress sites were running on out-of-date core software at the time they were hacked [5].

Open source has its benefits and pitfalls, but one of the benefits is that it is supported by an incredibly talented group of developers that are actively working to make WordPress a better place every day.

Thinking about redesigning your website? Let us know, we’d love to chat about it

Sources:

[1] EdTech – 4 Priorities Spotlighted by University CIOs

[2] WordPress Market Share 2023 (Usage Statistics, Facts, and Trends)

[3] WordPress

[4] 20 WordPress Statistics You Should Know in 2022

[5] Is WordPress Secure? Here’s What the Data Says