So far we have only interviewed people who understand and work in application and WordPress security. We have always heard the vendors’ voice. However, in this interview we took a different approach. We interviewed Ivica Delic, a WordPress professional about security. The scope of this interview is to better understand how WordPress professionals, to whom maybe security is not their cup of team, see and understand security products and services. This interview also helps us understand where we can improve and what these professionals are doing to keep their customers’ websites secure.
Ivica Delic has been working with WordPress since 2011 and has co-founded FreelancersTools.com. He has volunteered in the WordPress community and attended and presented at numerous WP Meetups about speeding up WordPress websites. Ivica started several popular Facebook groups on various WordPress topics. He is an administrator in more than 25 Facebook groups, which together have over 150,000 members. Ivica graduated with a Master’s Degree in Economics, and after 20+ years of managing teams in the banking industry he co-founded Confida, a digital market company that focuses on helping customers with managing WordPress websites and digital marketing needs.
Q1: What are the first 5 security best practices that you implement / follow when you setup a new WordPress website?
The first one is to choose a good and reliable WordPress hosting. I’ve worked with a lot of web hosts, and there are many good ones. I use SiteGround for most of my work.
The second best practice is to implement a good backup strategy. I always use an online service where possible, such as BlogVault. This makes it possible to store the backups offsite and in a secure location.
The remaining two best practices are recommendations for our users; use unique and strong WordPress passwords, and always keep your WordPress core, theme, plugins, PHP and all the software on your web server and computer up to date. If possible use an antivirus / anti-malware software.
Q2. Do you find WordPress security plugins and services easy to implement and use or not?
We have tested a lot of security plugins and tools over the last years. There are some which are very easy to implement and use. However, some others are very difficult to use and they are doing more harm than good. They leave a lot for the user to decide upon, however, the majority of users and professionals are not security savvy. So they find these plugins overwhelming and end up either under or overprotecting their websites.
More often than not, users mis-configure complex security plugins. For example they get locked out of their own website by the security plugin, or all their hot linked images are not loading anymore. Or some security plugins with file integrity monitoring report that a change in a log file is possibly malicious. Users panic at this things because they do not understand that for example a change in a log file is not malicious, or why hot linked images are not working.
Q3. Which was the biggest challenge / difficulty you’ve encountered when implementing or using security plugins / products / services?
To relate to the previous question – the biggest challenge I personally encountered is that I have to test and check the security tools used on a customer’s website, which I might not be familiar with. Sometimes we take over the management of a customer’s website and have to check that all the security solutions work properly together without overlapping functions. We have to ensure that there are no compatibility issues between them to avoid undesired behaviour, such as blocking the site’s admins out.
Q4. Do you follow any security websites to learn about WordPress security, or do you leave it to the professionals? Or it’s a bit of both?
I am member and admin of few WordPress Security Facebook Groups where a lot of WP security experts post. I follow and read all the relevant security news as well as security practical advises / best practices. However, the complex task of cleaning infected sites I (still) didn’t master. In such situations I rely on the professionals.
Q5. Do you prefer to use an online WordPress firewall service or install a WordPress firewall plugin on your site? Explain why.
I prefer to use an online WordPress Web Application Firewall (WAF) service. All the experts say that WAF is a much better layer of security against hackers and DDoS attacks. A WAF is able to detect and block anything malicious before it reaches your site. Unfortunately, WordPress plugins can’t provide that, since they are trying to defend the website from the inside.
Q6. In your opinion, which are the top three causes why WordPress sites get hacked?
I share the same opinion as many other professionals:
- insecure websites hosting,
- use of weak and easy to guess passwords,
- outdated WordPress core, theme, plugins, PHP and other software.
If you don’t mind me adding an extra tip, if you care about your website and business do not install nulled plugins and themes.
Q7: What do you think the WordPress security industry / vendors can do to help more professionals like you, whom security is not their cup of tea, better understand and protect their customers’ websites?
In short, they need to make it much easier for the user. They can do this by:
- creating more Wizards for easier and faster implementation of the security tool,
- automatically implement “the best practices” so not much is left for the user to do,
- implement a warning system so when some security tools are installed on the same site with overlapping features, the user is advised about the issue.
Q8. If you could choose one security feature to be included in WordPress core by default, what would it be and why?
I would like to see web application firewall (WAF) service included in WordPress to have at least basic layer of the security protection, as we have on Windows with the pre-installed Windows Defender.
Q9. Is there any particular subject or content you’d like to see more of from security vendors and professionals?
I would like to see more real-life use cases for beginners that explain what do to in particular everyday situations when security is breached. There are quite a few out there but most of them are targeted at advanced security people. They use complex lingo and tools.
Q10. Do you feel you can keep up to date with WordPress security news or not? If not, what do you think is the problem?
Yes, after all these years I feel pretty confident that I have got the hang of it. It took us quite some time to test and carefully build our Security Tools Combo Box, and to ensure everyone in our team follows security best practices.