Is WordPress a Secure CMS for My Bank or Credit Union?
It’s a question that we are asked frequently, and for good reason – banks and credit unions need to ensure that their sites are never compromised by hackers or other security threats. While we can’t answer this with a simple “yes” or “no,” the truth about WordPress’ security is pretty simple.
Some opponents of WordPress often argue that it is more easily compromised because it is an “open source” content management system (CMS). Essentially, this means that the source code is available to developers from across the world, which allows them to build new features and modify code to create customizations. About 1/3 of all active websites are built on an open source CMS, which includes platforms like WordPress, Joomla, Drupal and DotNetNuke. Many core providers use these content management systems to create and maintain FI websites.
All open source content management systems have comparable security. So, why does WordPress have a reputation for being more vulnerable to hacking than other CMS platforms? Well, WordPress alone powers 31% of the top 10 million websites, and many people believe that this makes them a bigger target for hackers. The same thought process is applied to Windows operating systems compared to iOS; more computers run on Windows, and hackers who want to cause the most damage would want to build their malicious code to target that operating system.
This logic is correct; WordPress and Windows are both bigger targets. However, they are not actually any more or less secure than their counterparts. Their security is really contingent upon how you’re using them, and the security measures you have in place to prevent intrusions. Since we only work with banks and credit unions, we have a unique insight into the security needs of FIs, which is why we suggest using the following methods to keep your WordPress site secure.
Use a Secure Host
When it comes to website security, regardless of which CMS you choose, your host is one of the most important factors in keeping your site safeguarded. How important is it? Well, according to a recent survey, 41% of websites were hacked through a security vulnerability on their hosting platform! Fortunately, banks and credit unions have unique hosting requirements that will afford you the highest level of protection. Specifically, you need a host that meets SSAE 16-Compliance standards. With a trusted, reliable and secure host that can maintain compliance, you are eliminating a majority of the security risks that threaten your site.
Keep Your CMS Up-to-Date
WordPress employs a team of web security experts and industry-leading developers to research to find and address security issues across the platform. They partner with teams of researchers and security professionals from across the world to ensure that WordPress is protected from vulnerabilities. So, every new version of WordPress fixes new bugs and security issues to help keep sites protected from the latest threats.
However, these security measures are only useful if you keep your CMS up-to-date with the latest version of WordPress; neglecting to update your site could leave a vulnerability for hackers to exploit. When you consider that only 39% of WordPress sites are up-to-date with the latest version, it’s easy to see why WordPress has gotten a reputation for having a lower level of security. Working with an experienced web design partner is a good way to ensure that your site is always updated with the latest version.
Only Use Trusted & Updated Plugins
Because WordPress is an open source CMS, developers can create custom plugins that introduce additional functionality and versatility into each site. Plugins can include anything: dynamic customer testimonials, image galleries, search engine optimization tools, contact forms and much more. There are thousands of plugins available for WordPress, and they are one of the main reasons why the CMS is so dynamically customizable. However, they are also one of the biggest security threats to the platform; according to a leading expert in WordPress security, plugin vulnerabilities account for nearly 56% of known hacking entry points into your CMS.
Anyone can create a plugin that can be installed on a WordPress site, but you should only use official plugins from reputable authors. And, just like WordPress CMS itself, each of these plugins needs to be updated regularly so that they remain protected against vulnerabilities. Trusted creators release regular updates to their plugins in order to ensure that they cannot be exploited or used as a backdoor into your site. It is advisable to avoid plugins that have not been updated within three months.
Use Strong Usernames, Passwords & 2-Factor Authentication
Despite having a secure host and updated CMS, brute force attacks are still a big threat to security. Brute force attacks take place when someone successfully guesses your username and password, giving them access to the back end of your website. Here are a few ways to combat brute force attacks:
Avoid using easy-to-guess usernames like “admin” or “administrator” and don’t use names or email addresses that can be found on the front end of your site. You also shouldn’t use your bank or credit union name as a username (or anywhere in your password for that matter).
It’s always a best practice to safeguard yourself by using strong passwords. Ensure that you have standards in place for password creation: make passwords at least 10 characters in length, use a combination of numbers, letters and special characters, and change your password on a regular basis. Everyone who has access to your website should follow these same standards.
2-Factor Authentication (2FA) is the practice of using two pieces of information in order to access an account; in this case, your website CMS. This secondary piece of information could include a PIN number sent to a mobile device via text or phone call, sending a verification email to a linked account, etc. You’ve probably encountered 2FA if you’ve ever tried to sign into your Google account from a different device. While this does increase the amount of time it takes to access your CMS, using additional verification factors makes it nearly impossible for hackers to force their way into your site using your username and password alone.
Use a Trusted Security Plugin
WordPress offers a number of official plugins that are specifically designed to enhance the security of your website. These plugins come with an array of security features to scan your site for potential threats. Some of them are available for free, but the premium versions provide additional measures like two-factor authentication and advanced spam filters.
Regularly Back-Up Your Website
Regardless of which CMS you end up using for your new FI website, it’s always a good idea to keep an off-site backup of your website. A backup can be used to restore your WordPress site to a working state at any time. Backups can be scheduled to occur automatically on a regular basis.
Use SSL to Encrypt Data
This is a standard practice for any website that needs to transfer data securely. An SSL (Secure Socket Layer) certificate allows data to move securely between your user’s internet browser and the server, making it much more difficult for intrusions to occur. SSL certificates are very easy to procure and install, and it is a standard part of our web design process. This also has the benefit of positively affecting your organic keyword rankings, since Google tends to rank sites higher if they have an SSL in place.
Brands & Financial Institutions that Use WordPress
Many major brands are using WordPress to power their websites, from The Walt Disney Company to Bloomberg. These brands understand that WordPress is a flexible and secure platform that is an ideal CMS for their needs. By following the best practices and standards we’ve outlined above, WordPress many banks and credit unions trust WordPress to power their sites as well, including the following financial institutions:
Why Partner with BankBound for Your New FI Website?
We are dedicated to helping community banks and credit unions thrive – which is why we build every website with your unique needs in mind.
- Built-In SEO: All our websites are built according to search engine optimization (SEO) best practices to help potential customers find you online.
- Responsive Design: Your website will be responsive to ensure that it displays flawlessly on any desktop computer, phone or tablet.
- High-Quality Content: We help your FI develop unique and valuable content for every page of your site to engage and convert your visitors.
- ADA Compliance: Your website will be built to meet WCAG 2.0 Level AA compliance standards.
- Built to Convert: Every page of your website will be designed to engage and convert visitors into new customers – making it a perfect outlet for Pay Per Click (PPC)
Security is one of your biggest concerns when it comes to designing a new website for your bank or credit union, and rightfully so. Our experience serving the financial industry allows us to understand these concerns better than other marketers and developers. Not to mention, our commitment to providing a transparent and individualized customer experience puts us one step above core providers. Whether you’re looking to completely overhaul your website, or generate some new deposit accounts, BankBound can help you get there.
Ready to get started? Learn more about our website design services for banks and credits unions, or start a conversation with one of our strategists to discuss your needs.