Penetration testing, often abbreviated as pen testing, is an essential process to ensure you maintain a safe and secure website. But what exactly does pen testing involve, and how can you rest assured your agency partner is covering all potential vulnerabilities for you? 

This article will provide a detailed guide to penetration testing, helping you minimise your security risks and ensure your website is fully protected. 

In a recent series of articles published in our resource library, we provided an in-depth explanation of the end-to-end process of building a high-performance, enterprise-grade website. (If you’d like to read that series first before learning about pen testing, you can start here). 

After you’ve worked with your agency partner to successfully build your website, you’ll also need to ensure your site is protected from cyber security threats.  With that in mind, you should understand the important role that pen testing plays in effective website security and maintenance. 

What is Penetration Testing? 

Penetration testing is a form of website testing that’s used to identify security vulnerabilities When conducting pen testing on your site, your agency will simulate a range of cyber attacks that could be used by cyber criminals or malicious software (malware). 

The purpose of this is to identify security weaknesses within your site and take action to prevent them from being exploited in the real world. This approach goes beyond basic tests, as it doesn’t just list the vulnerabilities, it examines how they could be exploited and helps to prevent that from happening. 

Why is it Crucial for an Agency to Conduct Penetration Testing? 

Website security is critical in today’s digital business landscape. Cyber security threats have become highly intelligent and sophisticated, now capable of penetrating even the strongest security networks. 

For instance, global technology giant Acer was the victim of a cyber security attack that demanded a ransom of $50 million USD in recent years. 

The outcomes of a cyber attack on your website could be catastrophic, either through sensitive data being stolen, lengthy losses of business continuity, or even reputational damage. 

Remember, your site’s security isn’t just vital to you as a business, it’s also something your clients need assurance with when they agree to work with you. You should be taking as many proactive steps as possible to ensure your security measures are rigorous enough to match high levels of risk. 

Covering All Bases for Robust Security (in WordPress)

It’s useful to be conscious of the common security weaknesses and pitfalls cyber criminals typically aim to take advantage of. 

Security vulnerabilities can be created when your website is running on outdated versions of your platform, or if something hasn’t been configured or integrated properly. Other common pitfalls include weak authentication measures and insufficient protection from the perspective of your users. 

With platforms like WordPress, there are some areas in which less experienced agencies could allow security vulnerabilities to creep in as well. For instance: 

• Auto-updates – When your platform’s software is automatically updated, changes in the code can cause new security weaknesses to arise. 
• Plugins – Using WordPress plugins from untrustworthy sources, or neglecting to update and maintain your plugins properly, can also cause security issues. 

This is one of many reasons why it’s important to work with an experienced agency partner who has proven platform-specific knowledge and expertise. Your agency should know your CMS of choice inside out, and should therefore be well aware of all the most common security pitfalls and targets for cyber attacks. 

What Does Effective Penetration Testing Involve? 

To conduct pen testing, your agency’s security experts will run through a process that attempts to penetrate your site’s security measures. 

This is usually done in stages, as follows: 

1 – Planning and Preparation

1. Review the results and analysis of any previous tests (if there are any)
2. Define the scope of the testing, including which tests will be performed
3. Gather all necessary data and information on the system to conduct the testing
4. Determine the criteria of success or failure for the tests.

2 – Running the Tests 

1. Use automated tools to scan for vulnerabilities and identify weaknesses 
2. Attempt to exploit the identified weaknesses 
3. Repeat the tests with different types of user roles and permissions
4. Measure the outcomes against criteria for success or failure 
5. Create a report on the outcomes and results of the tests. 

3 – Post-Testing 

1. Review the reports and analyse the results 
2. Remediate and resolve the vulnerabilities that were able to be exploited
3. Re-test the vulnerabilities to ensure remediation was successful.

The Benefits of Thorough Penetration Testing

Working with an agency partner who can support you with ongoing pen testing is a necessary step towards gaining enterprise-grade security for your website.

Technology changes so quickly today. Your platform receives updates regularly, your site is always growing, and cyber criminals are constantly finding new ways to breach your defences and gain access to your data. Penetration testing allows you to keep the pace with new emerging vulnerabilities. 

Conducting regular pen testing can also help improve client relationships and create competitive advantages as well. In certain industries, a demonstrable commitment to security will be greatly appreciated by your target audience. This can help to differentiate you from the competition and provide the trust required to attract more prospective clients to work with you.

Website Security is a Never-Ending Battle 

While every business with a website faces tremendous security risks today, this is a proven process that can help to minimise that risk and give you the confidence you need in your site’s security.

Any agency partner you work with should have the knowledge and expertise to understand the importance of pen testing, and should insist on making this an integral, ongoing part of your site’s maintenance. 

Would you like these insights straight to your mailbox?

Your emailSubmit

I consent to my submitted data being processed and stored by SoBold in compliance with Privacy Policy

Cyber security and data protection should be top priorities for your business right now. Of course, this is particularly important for large businesses, and those in strictly regulated industries like financial services, where the outcome of a cyber attack or data breach can be catastrophic. 

As these security concerns continue to intensify, you must be increasingly careful and vigilant about the technology solutions you use. You should also take more proactive steps to ensure everything in your tech stack is built and managed in a way that minimises your risks.

When it comes to WordPress, there’s a common misconception that the platform isn’t secure enough for large businesses. This misunderstanding tends to come from the fact that it’s free-to-use, so it was originally more popular among smaller independent businesses and B2C blogs. 

Today, however, WordPress is the world’s most popular content management system (CMS), and for good reason. Considering a significant percentage of that user base includes global enterprises, you’d think such popularity would be enough proof that it’s a secure platform. 

On the contrary, large businesses still ask us on a regular basis, “Is WordPress secure enough for us?” 

Is WordPress Secure? 

The answer to that question is, yes, WordPress is a secure, stable platform, even in its “out-of-the-box” state. WordPress’s core code is thoroughly tested and quality-checked by a team of security experts continuously. Not only that, but the same team regularly releases security updates and reinforces any potential weaknesses before they can be capitalised on by cyber criminals.

In fact, the speed at which security updates are implemented in WordPress is arguably the fastest in the world today when compared with other CMSs.

Additionally, WordPress is open-source software, meaning all its code is available to the public. Users are constantly suggesting changes and updates, often to fix bugs in the code and minimise opportunities for cyber criminals. This keeps the platform safe and secure for everyone else. 

But while WordPress does have the ongoing support of some of the most talented and devoted developers in the world, it’s not immune to security vulnerabilities. No software is, unfortunately. 

That’s why it’s important to be aware of, and work with, some fundamental best practices for security. Listed below are some steps you can take to further strengthen the security of the WordPress CMS.

Best Practices to Strengthen WordPress Security 

1 – Secure Hosting

The hosting service you choose for your platform will determine how secure and well protected your data will be. 

It goes without saying that WordPress should be hosted in a secure environment, overseen by an experienced provider who prioritises security within their services. 

Some things you should consider essential for a hosting provider include: 

• A fully-managed service with 24/7 support
• Automated monitoring and alerts
• Back-up and disaster recovery
• 99.99% up-time
• 100% pass-rate for data centre audits.

Before choosing your hosting provider, do plenty of research to ensure they’re able to provide these measures. Most businesses will work with a development agency partner for WordPress, and that agency should be able to help you with this process.

2 – Back-Up and Disaster Recovery 

Following on from the previous point, any good hosting provider should also offer back-up and disaster recovery services. These are like safety nets that will allow you to protect, save, and recover all your data in the event of any losses. 

3 – Be Careful with Plugins 

Plugins are a great way to enhance the WordPress platform with new capabilities and features. But you should only ever use plugins from reputable, credible sources, otherwise you could experience security problems.

It’s also important to keep all your plugins regularly tested, maintained, and updated. Again, this is an area where a WordPress agency partner will help you.

4 – Always Keep Your Platform Updated 

When you’ve built a website with WordPress, you’ll often receive software updates from the platform. Any time this happens, it’s because a bug has been fixed or some improvements have been made to the software.

Keeping up with these updates is so important from a security perspective, because they’re designed to keep your site secure. By letting your site run on an outdated version of the platform, you leave yourself at risk of a known issue being exploited by a cyber criminal or some malware. 

This is another thing that a good agency partner should take care of for you, so you don’t need to worry about keeping your platform up-to-date.

5 – Never Auto-Update Your Plugins 

You have the option to enable auto-updates within your WordPress platform. While this may seem like an easy way to keep your CMS up-to-date, doing so can create technical issues and security risks that simply aren’t worth the convenience. 

Each plugin you use will have its own button for you to turn auto-updates on or off. Any good agency will advise you to turn those auto-updates off and instead opt for a more secure approach to your updates, to maintain the resilience of your platform. 

6 – Use Security-Specific Plugins

Another way to reinforce the security of WordPress is by implementing security-specific plugins like WordFence, Sucuri, or Defender Pro. 

These handy tools will do a lot of the hard work for you, monitoring your platform and spotting potential vulnerabilities so you can fix them before they’re allowed to have any negative impact.

7 – Enable SSL 

A secure sockets layer (SSL) is a protocol which encrypts the transfer of data between your website and your users’ browsers. Enabling SSL makes it more difficult for cyber criminals to steal or compromise data online. Don’t worry, though, as this will be taken care of by your hosting provider as a standard practice. 

8 – Avoid Tools that Open Direct Access to Your Site Database from the Dashboard 

Some tools and plugins will enable direct access to your site’s database from within your CMS dashboard. While this can make certain aspects of website management easier for you, it also creates security vulnerabilities. This is something you should always avoid, because these additions are often severe security risks.

9 – Encourage Your Users to be Mindful of Security 

The biggest security risks, and many opportunities for cyber criminals, come from unsafe user behaviour, poor platform maintenance, and badly built sites.  

Your behaviour, and the behaviour of your end-users – and your agency – should always be mindful of security. If it’s not, sooner or later you’ll encounter problems. Some security best practices you can introduce include making strong passwords compulsory for all users and implementing measures like two-factor authentication.

10 – Find a Trustworthy Agency Partner to Support You 

We understand that following all these steps sounds like a lot of work. Of course, when you’ve got your own job to focus on, the last thing you need is to be spending time struggling through complex website security processes.  

That’s why it’s so valuable to find a reliable, trustworthy agency partner when using WordPress to build and manage websites. A good agency will ensure everything is secure and up-to-date for you, so you can spend more time providing outstanding services and experiences to your customers.

It’s always worth taking time to find an experienced agency with a strong track record of building robust, secure sites, to give you the peace of mind you deserve. That means they should handle your secure architecture, testing, monitoring, updates, and ongoing support for you as part of their services.

Being Truly Secure is an Ongoing Process 

When you’re selecting a content management system (CMS) to build critical digital assets like your website, security must be a top priority. It’s for that very reason more and more large businesses are looking to WordPress as their platform of choice. 

However, it’s equally important to choose an agency you can trust, and one that has these security best practices incorporated into their approach. This doesn’t just stop at the delivery of your website, either. True security is a constant ongoing process, and your agency partner should help you through that. 

Following the tips listed here will give you everything you need to build a resilient, secure website on WordPress, suitable for the enterprise. 

Interested in learning more about WordPress? Discover how a global enterprise achieved game-changing results by using WordPress to build a secure, innovative, bespoke solution. Check out the story of RedeWire from Rede Partners LLP here. 

Would you like these insights straight to your mailbox?

Your emailSubmit

I consent to my submitted data being processed and stored by SoBold in compliance with Privacy Policy

As of September 2017, SoBold has become the exclusive digital partner for Clanwilliam Group.

About Clanwilliam Group: Clanwilliam Group, headquartered in Dublin, Ireland, operate a number of industry leading brands in the private and public healthcare sectors across the Republic of Ireland, the UK, Australia, New Zealand as well as other worldwide locations. Formed in 2014, Clanwilliam has rapidly expanded in size, now with over 15 brands under the Clanwilliam Group umbrella. Clanwilliam is driven to establish itself as a global group of highly synergistic healthcare technology and services businesses.

About SoBold: SoBold Digital Marketing, founded by Managing Director Will Newland in 2014, work with companies and brands deriving from an impressive multitude of sectors including Healthcare, Fitness, Luxury, Hospitality and more. With a growing portfolio of over 80 brands, SoBold has a proven track record of delivering expertly crafted digital marketing solutions to help small and medium sized businesses grow and flourish.

We are delighted to become Clanwilliam Group’s exclusive digital partner. Clanwilliam is rapidly increasing their reach in the Healthcare sector and we at SoBold are proud to work with them to implement a powerful digital strategy.

Would you like these insights straight to your mailbox?

Your emailSubmit

I consent to my submitted data being processed and stored by SoBold in compliance with Privacy Policy

SoBold are delighted to announce that we have obtained a sponsor licence in order to sponsor international skilled workers to come and work at SoBold.

SoBold have always put heavy emphasis on hiring the best global talent for our needs, and we have strengthened our ability to do this by obtaining a Skilled Worker Sponsorship Licence. 

With all sponsorship licences that the Home Offices grants they need to be reassured that the sponsors can live up to the “significant trust” that the department places in them. The Home Office further made checks that SoBold is a “honest, dependable and reliable” workplace, and capable of meeting the responsibilities that it expects from sponsors.

Since being granted our Skiller Worker Licence, we have been fortunate enough to put it to use to hire two new team members. 

Anna de Moraes, joined SoBold, from Portuguese company, SpringParrot. Anna had been able to work remotely, and was living and working from the UK, when she got in touch with SoBold. Anna, who is natively from Brazil, said of the process: 

“​The steps were pretty clear and the whole process was quite simple. I’ve had friends waiting years for their visas to be approved while we were able to complete everything in a short period of time! I was already excited to start and, in a blink of an eye, I was finally part of the SoBold team!”

More recently, SoBold hired Santosh Gajera as a Back End WordPress Developer. Santosh has relocated from India in order to provide his services to SoBold. When asked about the process behind him getting his Skilled Worker VISA granted, Santosh said:

“To keep my IT career moving forward, I needed sponsorship from an organisation that sponsored my visa. SoBold has been an invaluable help in obtaining my Tier-2 (Skilled worker) visa. I am very thankful to their hard work and professionalism. My documents were handled very scrupulously by them, and they provided full support throughout the whole application process . I got my visa approved in two days, which is amazing, and they handled everything for me.”

SoBold worked with all-in-one digital platform, Nation Better in order to achieve our sponsorship licence and the process was streamlined, affordable and transparent.

SoBold already have a diverse talent pool, with staff from all over Europe, and with the help of Nation Better, we have been able to improve the way in which we hire international talent and open up opportunities further afield. We look forward to continue growing our team with exceptional overseas talent and have access to a wider talent pool.

SoBold Managing Director, Will Newland said:

We are absolutely delighted to welcome both Anna and Santosh to the SoBold team. Without our Sponsorship Licence we would be missing out on a large pool of talent that is the future of our business. We very much look forward to continuing to use our Sponsorship Licence to our advantage and giving skilled employees the opportunity to come and work here at SoBold.

For more information on what current vacancies we have, please visit our website careers page.

Would you like these insights straight to your mailbox?

Your emailSubmit

I consent to my submitted data being processed and stored by SoBold in compliance with Privacy Policy

When you’re responsible for managing a new website development process, you’ll have some difficult decisions to make. Two of the most difficult decisions will be finding an agency that you can trust, and finding a content management system (CMS) that will give you the flexibility and performance to drive your business forward online.  

Your CMS will play a significant role in helping you meet your specific website requirements and enabling you to achieve your strategic goals. 

We’ve compared lots of different CMSs in our recent series of articles, and each of them have their own strengths and weaknesses. In this article, we’ll compare WordPress and Craft.

Ease-of-Use

It’s vitally important to ensure that the platform you choose is straightforward to manage. You’ll want a platform that’s approachable, with a low barrier for entry, to avoid any challenges in the daily running of your website.

Craft’s Ease-of-Use

Whilst Craft is an open-source CMS, it requires technical development expertise in order to manage the platform once built. Management for non-technical teams will likely be difficult, thus limiting you in your ability to build out content and new features over time. 

If you do have expertise in-house, that will allow you to manage your website more easily, as the CMS itself is efficient for publishing and managing content.

Craft also makes it easy to collaborate and share responsibilities across teams without any interference or complications. For example, you can save draft versions of pages and share them with colleagues – with private links that don’t even require you to be signed in – before publishing live on your site. 

WordPress’s Ease-of-Use

Conversely, WordPress is specifically built so that content can be managed in-house. WordPress provides you with a convenient, intuitive user interface (UI) that allows quick and easy publishing, management, and editing of content on your sites.

Put simply, WordPress is a more traditional CMS that’s suitable for a wider range of users and teams. It allows you to easily manage the content on the front-end, whilst also facilitating a quick time-to-market for the development of your website.

This ease-of-use also helps to share responsibilities throughout your team.

Flexibility

Flexibility will always be high on your list of priorities when looking for a CMS. Tailoring your platform to fit your own unique requirements is a crucial capability in today’s digital business landscape. 

How Flexible is Craft?

Craft is all code-based, which allows you to build virtually any type of website you want, with great flexibility. The only limitations, really, will be with the platform-specific development capabilities of your agency.

How Flexible is WordPress?

WordPress also offers a great deal of flexibility and customisation, but the difference here is that it’s unlikely you’ll need to alter much about WordPress’s pre-existing tools and features to be able to build a website you’re happy with.

With WordPress, you have everything you need to build a high-performance website. But that’s complemented by the flexibility to make enhancements and seamlessly scale the platform with new bespoke features if you wish to. 

Integrations

Before you select a CMS, you’ll need to ensure it can easily integrate with any existing systems your business has in place. Whilst most CMSs will be able to integrate well with a variety of third party systems, it’s important to be aware of any limiting capabilities of the platforms.

Craft’s Integrations

Integrations with the most popular third-party platforms are typically supported in Craft through plugins. However, you may need to integrate manually with platforms using API’s.

While this gives you more control over your CMS’s functionality and security, it’s another area in which you’ll likely have to spend more time and money on agency development work. Those integrations will also need to be maintained and updated manually as well, which may be a financial and time burden on your agency. 

WordPress’s Integrations 

WordPress’s global popularity means that it’s readily compatible with most of the third-party systems you’ll already have within your business. 

You’ll have a wide range of native plugins available that will integrate your WordPress site with virtually any other tool. Even if you have more advanced requirements, it’s usually easier for your agency partner to do this bespoke development work in WordPress than it is with other CMSs. 

Developer Communities 

Investing in a platform that’s supported by a community of developers will provide you with additional benefits and advantages. It’s always helpful to have other users working to continuously create additions and updates to help the CMS grow and improve.

Craft’s Community 

Craft has a passionate community working hard to help enhance the platform, but it’s only a fraction of the size when compared to more mainstream CMSs like WordPress. 

Still, size isn’t all that counts here. Craft’s community is very supportive and highly active on channels like Slack and Discord. Craft also has a StackExchange, which is a Q&A forum that many developers use to share learnings as they work through projects.

The WordPress Community

At 20 years old now, WordPress’s popularity and global market share means it has an enormous community supporting it. 

WordPress’s community consists of millions of users who work tirelessly to offer support, collaboration, knowledge sharing, events, and much more. 

Any questions, problems, or requirements you have are often answered very quickly by members of the WordPress community. This also results in exciting new enhancements and features being released on a near-constant basis to drive the platform forward. 

Being part of the WordPress community will also give you access to free events that help users learn to get as much value as possible from the platform. 

Cost and TCO 

Cost is a key factor when choosing a CMS. It’s also important to remember the up-front costs aren’t the only thing you need to consider here. Since your CMS is a long-term investment, you should be looking for a low total cost of ownership (TCO) for all your related costs over time.

Craft’s Initial Investment and Ongoing Costs

With Craft, you’ll need to purchase either the pro or enterprise plan. Pro comes with a one-time payment of £250 per project, and an additional annual payment to continue receiving updates. The cost of the enterprise plan will vary depending on your requirements and usage.

As mentioned earlier, the costs associated with the platform may also be high. This is due to the need for agency support across many aspects of your project, from setting up your website, to integrations, to ongoing maintenance. 

The actual costs of development with Craft may also be higher than with other CMSs because of the smaller scale and more specialist nature of the platform. 

It’s also worth mentioning that Craft CMS hosting services are more limited than those of WordPress, again likely making them more expensive.

WordPress Cost and TCO 

On the most part, WordPress is a more cost-effective platform than Craft, with a lower TCO.

WordPress is free-to-use, limiting your initial costs to just hosting, development agency fees, and post-deployment support. 

As touched on earlier, achieving a much faster time-to-market will allow you to launch a quality website quickly so you can begin gaining strong ROI right away.

Another cost-related benefit of WordPress’s ease-of-use is that if there’s bespoke development work you need your agency to complete, it will usually come at a reasonable cost. Because Craft is such a niche and technical platform, bespoke development work often comes at a premium in comparison to the more widely-used WordPress.

When the WordPress platform receives updates, it’s often fairly quick and straightforward for your agency partner to test and maintain your site.

These advantages add up to create a lower TCO for WordPress than you’ll have with other enterprise CMSs.

Conclusion 

Both Craft and WordPress are both great CMSs in their own right, and would serve most businesses. Although, it’s difficult to deny that WordPress is a much more approachable platform than Craft for the average user.

If you’re a team with a great selection of existing development skills, Craft can provide you with some innovative capabilities and could be the right platform for you. 

The key thing to remember when making this evaluation is that you should select the platform that directly aligns with your own specific circumstances and requirements. 

Every business, and every web development project, is different. Carefully consider your objectives, budget, users, in-house skills, and any other factors that may come into play. That should allow you to determine which CMS is the right one to deliver what you need. 

If you need more help finding a CMS for your new website project, read our comprehensive guide to understanding and evaluating the options for large businesses here.

Would you like these insights straight to your mailbox?

Your emailSubmit

I consent to my submitted data being processed and stored by SoBold in compliance with Privacy Policy