There are several layers to security of any website, but here is the Wordpress specific overview:
- The physical server the website software is running on. We recommend hosting at GoDaddy. Here are their website security plans: https://www.godaddy.com/web-security/website-security . We suggest the Deluxe plan at $15.99/month for most businesses.
- The data being sent to/from your website should be encrypted via an SSL. This adds the https:// to your url, and the lock in some browsers. Google now uses this in its ranking algorithm. Further down on that same page you'll see the annual SSL cost from GoDaddy is $64.
- The Wordpress operating system itself is updated regularly, and often for security patches. When an update is released it needs to be installed on your site asap. If you have a managed Wordpress plan with GoDaddy they will do this automatically. If you have a business hosting plan with them then we'll need to do it as part of your website maintenance plan if you have opted for one.
- The theme that sits on top of Wordpress to control the look & feel of your website. This is a bit like Excel sitting on top of Microsoft Windows. Even though we don't use standard template themes so we can custom design to your preferences, the theme functionality still exists so we can control fonts, style etc. These get updated by the theme developers also and we need to update your website.
- The various plugins that sit on top of the theme. For example there will be plugins for contact forms, for your sliding banner etc. Wordpress functions with multiple software plugins created by different developers. We use ones that are popular and tested as they are usually updated regularly and we update your website accordingly when you're under maintenance with us.
- Our website maintenance plans are here: https://zenchange.com/website-maintenance/ . We'll recommend a specific plan once we settle on your GoDaddy hosting plan so we'll know how much will be left for us to handle.
Hackers can attempt to infiltrate any of these layers, but by taking the security precautions mentioned above, and by keeping all of your website software up to date you limit your risk. Considering that hackers have made their way into the Pentagon, nothing technology related can ever be 100% secure, so the objective is to minimize your risk and make sure you have a plan in place should something happen. That plan includes backing up your website regularly (done by GoDaddy with a Managed Wordpress account or by us if you have a business hosting account) and having a malware protection plan in place like the Deluxe plan GoDaddy offers above.
Hackers sometimes go after websites just to show they can, but they are more likely going after data. Although any cloud based software you use will be backing up your data, it would still be a good idea for you to maintain an external backup somewhere and to keep it updated since if your software provider were ever hacked losing all of your member data would be a big deal. If you have an eCommerce function on your website that is cloud based such as via Shopify, then they are responsible for encryption of credit card data so you can be compliant with PCI regulations. With WooCommerce your merchant account will provide this capability. However this also means that within your office you should not be storing credit card numbers unencrypted. More info on that here: https://www.pcicomplianceguide.org/faq/
If you're a health care organization then you're also subject to HIPAA. This has both online and offline implications. Protected Health Information (PHI) includes even associating the name of a patient with a provider, something that may come into play, even as you're gathering testimonials. Your attorney can provide guidance on what approvals you'll need. When it comes to your website, you'll want to make sure that you aren't capturing any health info (including naming doctors or complaints) on a non-HIPAA compliant form. So if you ask someone to complete an online form, if you want to ask them to describe any health concerns then that form will need to be HIPAA compliant so that all data is encrypted end to end. The standard Wordpress forms are not but there are options. If you expect this to be an issue let us know and we can suggest other options. HIPAA also extends to offline, so for example, if you were to pull up a form on your computer or in a presentation, let's say to do a demonstration, that form cannot contain PHI. Everyone on your team should also be HIPAA certified. Anyone from our team working on a healthcare account will be since HIPAA extends to your partners as well. This is the training we like: https://www.hipaatraining.com/
Your contact us form will email information to you. If you want to encrypt it in transit then we recommend Hushmail.com. That's what we use to have our clients send us login details.
Internally, it's also a good idea to keep your passwords secure. For our team we use LastPass. This allows team members to access your accounts without actually seeing the logins.
Most organizations impacted by multiple security and privacy regulations assign a role to oversee the various areas and consult with attorneys as needed to make sure they are compliant. Website security and privacy is quite complex!