Data Breach Laws - How to secure your WordPress site data.

Australia’s Data Breach Notification laws came into effect on 22 February 2018 and requires businesses to report all instances of personal data breaches.  Businesses have a duty to report data breaches that are likely to result to serious harm to any individual whose personal information is disclosed in the breach.

This post discusses the steps that a WordPress site owner should take to protect privacy of information collected by the site.  This information need only be enough to identify an individual if disclosed – Name, Address, phone number, email address are some of the types of information that of themselves identify a person and must be protected under the privacy laws and reported if disclosed.

A WordPress site uses a database to store information that define the pages and functions of the site.  Any registered user, whether they be a comment author, e-commerce customer, member, or admin / editor, will have their personal data stored within the database.  To prevent unauthorised access to personal data we suggest the following as good practice:  

Admin Privileges:  

Ensure only those that absolutely need admin access to your site do so.  Admin credentials are the most sought after information as the holder has full access to all areas of your site.  Each admin user should have their own credentials and where practical, consider using other methods to restrict access such as IP Address white listing or 2 factor authentication.

Software Updates:

Keep your WordPress site software, themes, and plugins up to date.  One of the main reasons for updates is to close security loop holes that can be exploited by hackers.  Not performing updates leaves you openly exposed to the possibility of a data breach.

It is not just the WordPress software that must be kept up to date.  Your hosting software must also be updated as required for the same reason.  This also extends to your PC, tablet, smartphone and any other device that is subject to updates – perform them as soon as possible to safeguard your data.  A hacked device can capture your admin login to your WordPress site giving full access to your site data.

Firewall:

Use a firewall on your WordPress site and also on your server if you manage your hosting.  Hackers will try to access your site through brute force means and will scan for vulnerabilities to find the way in.  A good firewall will detect the initial scans and block the IP address slowing down the attack. A Firewall will detect failed logins or attempted logins to non-existent accounts and block the IP address.  A premium Firewall will block entire countries from accessing your site or the admin section of your site.  Better still, only allow access by your own IP address which will prevent access (unless your PC is insecure).

Filter and Discard:  

Regularly filter information you retain and discard it if no longer required.  If it isn’t there it can’t be disclosed.

Summary:

All Australian businesses and site owners must be aware of the new laws that govern privacy and data breach notification. For a comprehensive rundown on the laws please follow this link.

An easy step to cover most of the above points is to liaise with a WordPress management professional who can take care of the updates and security for you.  We provide these services and are often amazed at the initial state of sites as they come to our care.  These sites are owned by business professionals who are experts in their field but not so good at IT  or are just time poor and haven’t been able to keep up with the administration of their site.  If you feel you fit into one of these categories and would like someone else to take responsibility then please contact us for a no obligation discussion.

About: ManageWP® Australia provide WordPress Site Care and Server Management to site owners and designers. We also provide secure hosting and relocation services if required. We do not design web sites although we are happy to make changes to existing designs where appropriate. We will NEVER approach you to redesign your site as our focus is security (server and site), recover-ability, monitoring, and restoration. Please contact us if you would like an assessment of your current server or site security or need some assistance or advice with your site.