Episode 82: WordPress Security 101 for Healthcare Sites: The HIPAA Plugin Guide (Part 1)

This week on the HIPAA Insider Show, we kick off a 3-part series on must-have WordPress plugins for healthcare websites. In Part 1, we tackle the most important piece of the puzzle—security. From two-factor authentication to audit logging, we cover the essentials you need to protect PHI, build trust, and stay HIPAA-aligned.

Transcript

Adam Zeineddine
Hello and welcome to the HIPAA Insider show. My name is Adam Zenerdine and I’m joined as always by Gil Vidals. Hey Gil.

Gil Vidals
Hey Adam. Looking forward to this podcast about security plugins. Should be a good one.

Adam Zeineddine
Yeah, yeah, I’m really looking forward to it too. So what we’re doing today is something a little bit different. We’re, we’re starting this is the first part of a three part series focusing on must have WordPress plugins for healthcare sites. So really, really interested to get into this one. And the first part of the three part series is going to be focused on the most important aspect when it comes to healthcare sites. Security, right Gil?

Gil Vidals
Oh yeah, always need to talk about security and there’s a lot of, as you know, Adam, WordPress has a directory of plugins that’s a mile long, literally, I want to say hundreds of thousands of plugins. So you could get lost in a sea of plugins there. So hopefully we’ll help provide some guidance, I think.

Adam Zeineddine
Yeah. Okay, so before we get started, please like subscribe, share with anyone that is going to be interested in protecting their healthcare website. And yeah, let’s dive into it. So let’s, I’m going to share my screen here and Gil, so we did a comparison, we ran through a couple of security tools that we’ve come into contact with in the past and used and did comparisons with other security tools out there. And so yeah, this is what we’ve got. We’re sharing on screen the comparison table and before Gil, I’ll let you kind of talk about this a little bit. I’d like to say, you know, HIPAA compliance is evolving and software is evolving. So this is a snapshot in time of what solutions are out there at present.

Adam Zeineddine
If you’re watching this a year, two years later, do make sure to, you know, do your due diligence. Well, if you’re watching anytime, do due diligence. But yeah, so these are the ones that are currently popular, right Gil?

Gil Vidals
Yeah, so I guess I want to give a little context, Adam, so our listeners can understand what we’re talking about. When it comes to security. With WordPress, there are plugins that you can add quite easily that have security features. Some of these plugins are more encompassing. So instead of just one small feature and then you get another plugin for another feature and another plugin for a third feature. These, these plugins have multiple features all wrapped into one plugin. Now there are several tools that do that. Today we wanted to Go over some of these. Now, we’re not trying to review these to say, hey, this is the right answer for you. We’re trying to review some of these that are the better ones. And then each one has a strength, each one has a weakness, just like everything else in life.

Gil Vidals
The answer is great. It really depends on what your use case is. So we’re going to look at it from that context. We’re not looking for the winner, we’re just looking to compare them so you can see what their strengths are.

Adam Zeineddine
Yeah. What are the first things that come into your mind as a security expert that you’re looking out for from plugins in general?

Gil Vidals
Well, just some general comments for security or plugins would be to make sure that the plugin that you choose for your website is something that’s mature. It’s not something that was invented yesterday. It’s something that has a version that’s been around for, you know, two or three different versions. And so you’re getting a mature product. I would say that’s a generally a good thing to look for. And you want an author also that will support the product that’s updating it regularly. And it’s okay if they have a, a free tier and a premium tier. That’s how they, you know, they have to make a living. And the premium tier usually gives you what you want. You typically, you’re going to want to pay for these plugins. Don’t try to skim and save a few bucks.

Gil Vidals
When you’re talking about HIPAA security, you need to spend the money to get the best in class and make sure that you not only have the best in class, but that you get the updates. A lot of these, if you don’t pay, you don’t get the updates right away. You have to wait 90 days, so they’re going to be vulnerable for a while and you don’t want to do that.

Adam Zeineddine
Yeah. Okay, so these are the four that we’re focusing on. We’ve got Sucuri, Word Fence, Jetpack Security, and Solid Security. It looks like each one does have its, its strengths and a couple of weaknesses there. It seems like security is coming from the background of being a web application firewall. Right. And then it’s added services from there.

Gil Vidals
Yeah, Secure the security. One does have a waf. So let’s take a moment, talk about what a WAF is. So WAF is a web application firewall. What is that? Well, most people, when they think of firewall, they have some idea what that means, right? Keep the bad guys out, let the good guys in. So waf, the job of a WAF is to look at the traffic coming into your website, right? People, people make requests to see your website, that’s fine. But you also get bots and other malicious traffic that may be trying to abuse your site, access it with unauthorized, you know, hack into it, basically do something bad. So the web application firewall security has one that’s built in and helps protect you from attacks. Database related attacks are called SQL injection attacks and then DDoS.

Gil Vidals
A DDoS attack is when so many users or fake users come to your site that it slows your site way down, where even the good traffic can’t get through. So security does have that the malware scanning is okay, but sometimes it doesn’t find the malware. So that’s something you have to think about. The setup for security is a little bit complex for the premium version as it requires some knowledge about DNS updating DNS in order to enable the web application firewall. The price is roughly a couple hundred dollars a year for the license on this one.

Adam Zeineddine
Yeah. What I noticed as well is that the free version or the freemium version is markedly featureless or lower on features than the paid version. I mean, that is something that is common across different software, but I think markedly so with security. So the real starting point there is 1,99 a year for the basic setup. Okay, well, moving on to Word Fence, we’ve heard a lot about wordfence. So it also has a waf, right?

Gil Vidals
This one has what they call a waf, and they use the term endpoint firewall. And this one’s a pretty strong one, they claim.

Adam Zeineddine
Is that just a little bit different? Is that just different phrasing or is that something specifically different than a waf?

Gil Vidals
An endpoint firewall, in this case, it’s the same thing. They just use a different term for it. So it’s still a web application firewall. And with Wordfence, they claim they’ve done over 9 billion preventions, or 9, 9 billion times that they’ve prevented an attacker from getting in per month is what wordfence is claiming. And they do have advanced malware scanning and they use that to detect file based malware. So and something that’s been infected into a file, they’re claiming they can detect that quite well. They also have login security like two factor authentication and a recaptcha. Recaptch is when you go to a site and you have to type in some letters before you’re able to proceed. So they do offer that facility as well. So it’s a pretty good product.

Gil Vidals
And the performance, sometimes you can notice the performance impact on wordfence because they do have quite a bit of activity going on and they have some heavy database activity. Yeah. So it could be, it could slow down at times. Yeah. But it’s. Again, these are all pretty good products here.

Adam Zeineddine
Okay. Yeah. And the premium starts at 99amonth, so that is lower than the security plugin. Okay. Next up is Jetpack, another all in one solution.

Gil Vidals
Jetpack, I like that name. One of the things about Jetpack is it’s pretty easy to use. It’s got a nice clean interface with one click setups, which is great. That includes backups and anti spam. So it offers daily backups, one click restores and spam filtering as well.

Adam Zeineddine
That’s important.

Gil Vidals
Yeah, for torture. Spam filtering for comments. And what we mean by spam is if you have a site that has the ability to make comments, a lot of the bots will go by and put comments in there that you really don’t want to have. So it helps prevent that.

Adam Zeineddine
Why did they do that?

Gil Vidals
Oh, the bots, you mean? Yeah, yeah. No, the bots leave comments because they’re trying to do something advantageous for themselves. For example, if they put a comment about their product, they’re trying to sell a product. Or they may put a link, a backlink to a site that they want to get a lot of links to because links help you in your search engine ranking. So it’s going to be content that favors the commentor and it’s a real pain to keep that up. It does have scanning as well. Jetpack does offer scanning that’s performance friendly. By that we mean that it doesn’t bog down the whole site while it’s being scanned. And it has a pretty inexpensive price. It’s only 9.95amonth.

Adam Zeineddine
Oh yeah, that’s a lot. That’s a lot lower than the other ones.

Gil Vidals
Yeah, yeah, I think that’s a pretty good one. They don’t have any malware cleaning though. So if the malware is detected, you have to get rid of it yourself. So that’s a downside.

Adam Zeineddine
Oh, and it doesn’t have a robust waf. It relies on Cloud Flare for the waf.

Gil Vidals
If the WAF isn’t a big deal for you, then this one will still be a pretty good product because of the price point. I think is good.

Adam Zeineddine
Then last but not least, Solid Security. Formerly iThemes Security for those of you that have been in the WordPress world for a while looks like a solid plugin too. A solid option.

Gil Vidals
Yeah, they have vulnerability scanning and it integrates with a great tool called PatchSack. PatchStack is a tool that helps identify a plugin that might be compromised. So it integrates with patchstack. The price is pretty affordable. It’s a couple hundred dollars a year. It does have brute force protection, which by brute force detection we mean unauthorized users or bots that are trying to access the site. It helps protect against that. It doesn’t have a full web application firewall. Instead it just relies on some basic IP blocking which is not as effective as a full born web application firewall does have some backup capability and sometimes people say it has a performance issues. The database could become heavy at times and that could slow things down but overall a lot of people use it.

Gil Vidals
It’s been around for a long time under the name itheme so it’s so worthy of.

Adam Zeineddine
Okay, so there you have it. So there’s four options there for all in one plugin solutions Gil, in summary, would you like to provide any tips for people looking to implement security on the WordPress site for the healthcare?

Gil Vidals
Yeah, I guess just to give a quick overview or a conclusion I should say for these I’d say Sucuri excels with the web application firewall which is very important. If there is a hack it’ll help clean it up. It’s good for medium to larger sites. Then wordfence has been around for a while, really well respected. It does have comprehensive protection with strongendpoint WAF and it has advanced malware scanning and real time monitoring. Is perfect for the users that are comfortable with fine tuning the settings. As it does have quite an extensive settings and features, some people might be overwhelmed by all of those. So if you’re looking for just a one click setup, I don’t think wordfence would be the right one for you. Jetpack security is pretty user friendly. It’s again a well all in one solution.

Gil Vidals
It combines security with backups and performance tools and it’s probably the best one for beginners. If you’re new to WordPress or you’re not technical, this might be a good one. And then solid security really is advanced when it comes to login security. You know, a two factor authentication and passwordless login and it’s also very affordable. It doesn’t have a web application firewall though and limited backup. So I think that’s just a good overview of these tools. We’ve seen, we’ve seen these tools being used by many people. They all have a big following. So. And the thing is, you could try these tools. You could try one and then uninstall it. Try the next one. You don’t have to feel like once you try one, you’re locked in. You can try it.

Gil Vidals
If they have a free trial that’s perfect, then you can move on to the next one if you’re going to be testing it.

Adam Zeineddine
That’s fantastic. Thank you, Gil, for running us through those four options there. There you have it. That’s our breakdown of all in one security plugins for WordPress. What have you come across in the past? Have you used anything that we didn’t mention? Let us know in the comments below. If you have any questions. Questions reach out to us at hipaavault.com podcast@hipaavault.com and we’d be happy to look at that and get back to you. So that’s it for this episode. Stay tuned though, for next part in the series, which is going to be focusing on another crucial aspect of the healthcare website hosting and that is the performance aspect, the performance boosters for healthcare sites. So until next time, thanks for stopping by.