WordPress Maintenance & Security

Keeping your plugins and themes up to date is essential for both security and performance. Outdated plugins and themes can create vulnerabilities, making your site susceptible to attacks or causing slowdowns in performance. At Priority Pixels, we take care of these updates for you, ensuring your plugins and themes are always current. We rigorously test updates for compatibility to prevent conflicts or errors that could impact your site’s functionality. By handling this process, we ensure your WordPress site remains secure, efficient and fully optimised at all times.

Our advanced monitoring tools provide continuous oversight of your website’s status, ensuring it remains live and accessible to your users at all times. These tools perform frequent checks, identifying potential issues before they escalate. In the event of downtime or technical difficulties, we receive instant alerts, allowing us to act quickly to resolve the problem and restore your website. This proactive approach minimises disruptions, ensuring that your business remains operational, and that your users experience minimal inconvenience from unexpected outages or errors.

Performance optimisation for WordPress involves a range of techniques to enhance your website’s loading time and overall performance. This includes optimising images, leveraging caching systems, minimising CSS and JavaScript files, and utilising Content Delivery Networks (CDNs). Faster websites not only improve user experience but also boost SEO rankings and reduce bounce rates. At Priority Pixels, we ensure your WordPress site runs at peak efficiency, providing a smooth and fast experience for your visitors.

Our hosting servers are PCI compliant, which means that most ports are secured from public access. Only essential ports are open, such as Port 21 for FTP (restricted by IP address), Port 80 for HTTP, Port 443 for HTTPS. We also ensure secure communication by disabling older versions of Transport Layer Security (TLS) protocols. Only TLS 1.2 and higher are supported, meaning any data exchanged between your site and its users is encrypted and safe from prying eyes.

We conduct daily backups that retain a minimum of 14 days' worth of data. In the event of an exploit or unforeseen vulnerability, this allows us to restore your website quickly to a previous, unaffected state. These backups are stored on a separate server to minimise the risk of infection from any scripts running on your live site. For an additional £10 + VAT per month, we can extend the backup retention period to 28 days.

Direct access to your database is granted only to users with whitelisted IP addresses. This prevents unauthorised parties from making changes to your site’s data. Additionally, during website development, we apply custom table prefixes (instead of the default 'wp_') to make it more difficult for attackers to guess database table names, reducing the likelihood of compromise.

Our security systems block malicious traffic, such as aggressive bots, scrapers and crawlers, from accessing your site. This reduces server load, helps prevent downtime and conserves bandwidth. Legitimate search engines, like Google and Bing, remain unaffected.

By default, XML-RPC is disabled on our hosted sites. This feature, while useful for some, is a known vulnerability for WordPress websites. For enhanced security, we recommend using the WordPress REST API, which offers a more secure alternative. If XML-RPC functionality is required, we can enable it and restrict access to authorised IP addresses.

Our sites are regularly scanned for suspicious files and vulnerabilities. With WordPress sites heavily reliant on plugins, newly discovered vulnerabilities can be exploited quickly. Regular malware scanning ensures that we receive immediate notifications when a vulnerability is detected, allowing us to secure it promptly.

Login security for hosted websites is reinforced through multiple protective measures. The default WordPress login URL is masked, making it difficult for unauthorised users to locate. To prevent brute force attacks, a failed login threshold is in place, blocking users temporarily or permanently after multiple unsuccessful attempts. Multi-factor authentication (MFA) is enabled, offering various secure login methods, including email OTPs, authenticator apps, backup codes, and web authentication using fingerprint or facial recognition. Additionally, where feasible, access to the login screen can be restricted by IP address. These measures work together to enhance security and prevent unauthorised access.

We implement industry-standard security headers to protect your website from common threats, following the OWASP Top Ten security recommendations. These headers help mitigate risks such as cross-site scripting, clickjacking, and other vulnerabilities. Key configurations include X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy, and Permissions-Policy. By enforcing these security measures, we strengthen your website’s defences against potential attacks.

We block unauthorised attempts to discover valid login usernames through query strings like ?author=1, ?author=2, etc., preventing attackers from obtaining usernames to exploit. Attackers use these queries to uncover usernames associated with your site’s author pages, which they then use in brute-force attacks to guess password combinations. By blocking this method, we prevent hackers from gaining a key piece of information, reducing the risk of a security breach.

Our systems detect unusual 404 errors to identify malicious actors attempting to exploit potential vulnerabilities on your site. If a user triggers an excessive number of 404 errors within a short period, they are automatically banned, protecting your site from potential threats.

We implement Google reCAPTCHA in all forms across your website, protecting against abuse by automated bots and ensuring that only legitimate users can submit forms or register.

To protect against compromised credentials, we verify passwords entered in the default WordPress login or registration forms against a public database of breached passwords using the Have I Been Pwned API. If a password is found in this database, the user must reset their password before gaining access, ensuring maximum security.

Your site is built and maintained using the latest version of PHP, ensuring the highest level of security and performance. Keeping PHP up to date helps protect your website from existing and emerging threats.

To prevent brute-force attacks on your login area, we avoid using common or default usernames such as ‘admin’ or any that match your site name. Any attempt to log in using these usernames is automatically blocked, adding an extra layer of security.

We restrict PHP execution in directories where it is not needed, such as the wp-content directory, to prevent malicious scripts from being executed if a vulnerability is exploited. If harmful PHP files are uploaded, they are rendered inactive until detected and removed.

By default, users who select the 'remember me' option remain logged in for 14 days. This extended login period can pose a security risk, as it provides hackers with more time to hijack the login cookie and gain access to your account without needing your credentials. We shorten the duration that a login remains active to reduce the opportunity for malicious third parties to exploit inactive sessions.

Pingbacks are notifications sent to a website when it is mentioned by another site, serving as a form of courtesy communication. However, this feature can expose your site to unwanted traffic and potential DDoS attacks, which can overwhelm your server and result in an influx of spam comments on your posts. To protect your site from these risks, we disable trackbacks and pingbacks.

We disable WordPress’s built-in file editor, which allows users to modify theme and plugin files directly from the admin dashboard. This reduces the risk of unauthorised changes and prevents potential exploits, ensuring that all updates and modifications are performed securely via File Transfer Protocol (FTP).