How to protect customer data and prevent GDPR breaches on your WordPress site

For UpdraftPlus’s own privacy policy and how we deal with GDPR, please go to the privacy centre.

Up until the advent of the internet, the most a company would know about their customers was their names, address, maybe their purchase history and little more. Fast forward to 2021, and businesses have access to all aspects of a customer’s (or potential customer) interests, bank details, email addresses, hobbies, desires, passions and goals – as well as some very personal information that the potential customer might not even be aware they are sharing. While this information has allowed companies to better serve and market towards customers, if this treasure trove of personal data gets into the wrong hands, it can cause a major problem for all involved. 

In this blog, we will discuss how to protect customer data and prevent GDPR breaches. But first it is important to define what a data breach is and what GDPR means. 

What is a data breach? 

A data breach is an incident that allows outsiders or unauthorized personnel to access or obtain confidential information from a system, without the permission of the owner. While cybercriminals represent the most common threat to data protection, they aren’t the only culprits. Employees and coworkers can either accidentally or maliciously share data with unauthorized persons, which can also result in a data breach. 

What is GDPR? 

GDPR stands for general data protection regulation, and as the name implies, it is a regulation that addresses data protection and privacy. While GDPR applies to countries and companies operating with the EU, countries all over the world have similar GDPR-like policies in place.

In May 2018, the EU implemented the GDPR to ensure that citizens of the EU and EEA region have greater control over what personal information they allow access to, how that information is used and what assurances they have regarding the protection of that information by the companies involved. The GDPR directive stipulates that personal data includes name, IP address, banking details, email address, photo, location, or medical information. This regulation applies to every company with customers that are EU and EEA citizens. 

10 ways to keep your customer subscription data safe and prevent GDPR breaches

If a company finds itself victim of a data breach, it can find itself facing an expensive bill. Under GDPR guidelines, a company can face fines of up to 20 million or 4% of their annual turnover due to a breach. However, the following practices can drastically reduce your chances of experiencing a security breach. 

1. Only collect essential data 

Your company’s database should consist of only information that is crucial to your marketing efforts. The more personal the information that is obtained from customers, the more valuable they will be to hackers and cybercriminals.  

A crucial part of customer data management is deciding which data you should collect and what you don’t need. Between 60% and 73% of data collected by companies is unused for analytics, which shows that organisations probably don’t need as much information as they think they do to conduct business. 

What comprises essential data for your company depends on your marketing goals and your ability to analyze the data to gain insights. Since marketing goals evolve, regularly evaluating the type of data you collect can save you trouble and aid your compliance with data protection regulations. 

2. Perform routine vulnerability and risk assessments

According to the Center for Internet Security (CIS), vulnerability management is the third most important action you can take to protect your organization from data breaches. 

The processes involved in vulnerability management include identifying possible security breaches and classifying them according to their threat level. Regular risk and vulnerability assessments help you identify holes in your defences and take measures to plug them. 

When carrying out these assessments, you should leave no stone unturned. Inspect and evaluate your data storage, software and data security policies – like the use of personal devices and remote ‘work from home’ access for employees. 

WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices.

You can also install the All In One WordPress Security plugin on your WordPress site. This plugin can help improve your website security. It works by analyzing your site and reduces security risk by checking for vulnerabilities. By implementing and enforcing the latest recommended WordPress security practices and techniques, you can help patch any potential weaknesses, before they become an issue. 

3. Involve every member of your team 

It is imperative that every employee play their role to prevent a breach. Your defences are only as strong as your weakest link and without proper security awareness and education, employees can unknowingly become that weak link to hackers and cyber criminals. 

Employees should also be trained on how to identify security threats – what comprises “sensitive information” and how to immediately report data leakages and breaches. Employees should also be aware of the latest phishing and hacking techniques employed by cybercriminals (such as legitimate looking fake emails), and how to prevent them.  

4. Adhere to data protection regulations 

Data protection laws and guidelines are more stringent today than they were just a few years ago. This is in part because the amount of personal data collected by organizations has increased dramatically with the advent of smart phones. Additionally, the rise in the sophistication and potency of cybercriminals and their operations has seen ‘hacking’ and the theft of personal data become an almost acceptable career in some countries. 

In this day and age, abiding by data protection regulations such as GDPR helps you to prevent leakages and avoid potential fines. It can also save your company’s reputation and increase customer trust. 

5. Restrict data access 

Just like secrets, the fewer people that have access to data, the lower the chance that it will be leaked. It is worth remembering that not all employees need the same level of access to sensitive customer information.  

A good code of practice to follow is to segment customer data, and then grant levels of access to staff for each segment depending on the staff member’s need to access that information. 

While this may be a time consuming and painstaking process, compared to potential lawsuits, hefty fines, reputation damage and potentially millions of dollars in lost revenue; it is more than worth it. 

6. Data encryption 

Data encryption is the practice of encoding data (such as messages and files) to make them unreadable to unauthorized persons. By following the process of converting sensitive information from the plain, readable format to ciphertext; you can achieve data that is in an encoded format. 

A crucial aspect of your data security plan should include provisions for encryption of sensitive data. Personal data across all devices used for company functions should be encrypted including messages, calls, and emails. 

With data encryption, you can securely save sensitive data on the cloud or on connected servers. 

7. Two-Factor authentication (2FA)

Two-factor authentication is a data security measure that requires two different forms of identification to gain access to an online account. 2FA combines a password with another credential – such as a one time password, security badges or biometric data (such as a fingerprint). This adds an additional layer of security and by requiring 2FA across all company devices and systems – this would improve your data security hugely. 

8. Regular security updates 

You may have suspected it, but the main reason giant companies like Apple provide regular updates for their software (iOS & Mac OS) is to patch up weak spots and loopholes that hackers could potentially exploit. 

By regularly updating your security software, you can reduce its weaknesses and increase its efficiency. 

9. Online and offline data backup 

While this is not particularly intended to prevent a breach, it can save you a lot of time, money, and trouble in the event of data theft or loss. Having a secure backup means that your customer subscription data, as well as other sensitive information, is safe. 

The longer your site is suffering from downtime as you try to recover the missing data, the more money you lose. A recent report suggests companies can lose as much as $300,000 per hour due to the downtime in the event of a hack, bug or server issue. 

By backing up your site using UpdraftPlus, you can be sure that you will always have a secure backup of your original website, should you ever need to restore it. 

10. Have a data breach response plan 

If all else fails and your preventative measures are still breached, then what? Having a Plan B, such as an organizational data breach response plan, can mitigate the potential damage of a data breach. Under GDPR guidelines, your customers have the right to know that their data and personal information could be compromised within the first 72 hours of a breach. As such, your plan should always include how to inform your customers. According to the US Chamber of commerce, 68% of small businesses lack a disaster recovery plan. Putting together a plan for your organization puts you a step ahead of the curve. 

Data breaches that companies can experience

Data breaches can occur through various means, but here are the most common. 

Phishing is when cyber criminals try to gain access to sensitive data, such as your banking details and passwords. They achieve this by posing as a reputable company or individual you may already have dealings with and often informing you of a problem that requires you to click on a link that downloads malicious software on your computer. Training employees on how to spot phishing attempts in emails, messages and adverts can help prevent these types of attacks. 

Brute force cyber attack
This is a more direct type of attack GDPRwhere hackers use software tools to try to guess your password. With the rapid speed of modern computers, it takes far less time to guess passwords correctly than it used to. Your best chance against this type of cyber attack is to have longer and more secure passwords. A good practice would be the use of password phrases; as they are easier to remember, and harder to guess. 

Intruders can install malware or spyware on your devices to allow them access confidential files without your notice. Malware is typically a piece of malicious software, and it’s activities and presence can go unnoticed for a long enough period of time to cause significant damage. Malware can be installed on your computer physically or virtually through sources such as an email link. Learning how to spot these attacks and restricting access to your computer can help avoid this type of attack. 

Human error, accidents and theft
In a way, human error will play a role in almost all the types of cyber attacks. Granted, malicious software will take advantage of already existing weaknesses in your system’s defences, but you still have to be careless with your computer or click on a malicious link for it to work. On the other hand, a stolen computer or a laptop left at a bus stop can potentially give the thief access to sensitive data. 

What to do in the event of a data breach? 

Bad press, lawsuits, financial losses and distrust are some of the effects of a data breach. In the event of a breach, the focus shifts to how you can manage your organisations reputation and build back trust in employees and customers alike. Here is how you can do that: 

Good PR
An excellent PR team will work to ensure your customers understand you are on their side. It helps if you have a PR team on standby with a pre-planned sequence of actions that can be implemented within hours in the event of a data breach.  

What’s worse than a breach and leak of sensitive customer data is a cloud of dishonesty and deceit in its aftermath. The pushback and consequent cost of the breach can be mitigated with a level of transparency and cooperation with the affected customers. 

Kick-start your data breach response plan
Regardless of how much you try to prevent it, with advancing technology and cybercrime sophistication, there’s still a chance of a data breach, no matter how small. Actions in your response plan should include a public address and some sort of compensation plan for the affected customers. 


$4.24 million is the average cost of a data breach in 2021 according to IBM. That’s a significant enough amount of damage for it to be taken seriously. Whether or not your business operations are digital, if your customer data is stored on any technological device, you should pay attention to the steps above. Learning how to protect customer data and prevent GDPR breaches imply that you are prioritizing your customers’ privacy. That practice boosts your reputation and encourages brand loyalty.

The post How to protect customer data and prevent GDPR breaches on your WordPress site appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Speed up your WordPress site using image optimization

‘When evaluating the speed and performance of your website, there are over 200 factors that search engines like Google use to rank content and web pages. Some of these factors are known, such as site update frequency, while the weight of other factors – such as meta-tag spamming, are not known to the extent they impact the ranking score and how they affect a site.

Possibly the most important factor when deciding your site’s Google ranking is it’s loading speed and how long the site takes to completely load on both mobile and desktop.

An important part of the loading speed process, your site’s overall SEO score and speed ranking is image size and image optimization. In this blog we will be looking at why this is important and why you should always have optimized images on your site.

Why is image optimization important?

Since Google considers site loading speed to be one of the main ranking factors when evaluating a site’s SEO score, Google focuses on the overall user experience as a metric for website quality. The speed of a site not only has an impact on SEO score, but has also shown to have a large role in the bounce rate of users, as they typically tend to leave a site if it takes more than 3 seconds to load.

Slow site speed can be responsible for abandoned carts, drops-in conversion rates and other problems that might cause the user experience to be negatively rated. If an e-commerce site is making $100,000 per day, a 1 second page delay could potentially cost you $2.5 million in lost sales every year. A large portion of a website’s weight and loading speed factors can be attributed to the size of your image. Compressing your images will reduce the time it takes to load them in a user’s browser, improving the overall loading speed of the website.

It should also be noted that a high speed internet connection is not going to solve the problem of a slow loading website, as the loading speed is largely dictated by the host that is hosting your files, and can only upload them at a certain bandwidth.

How can you check your site speed?

It is possible to check your site speed using simple online tools. Some of the most commonly used web tools are listed below;

Google Insights

This is a developer’s tool that was introduced by Google for the single purpose of identifying site speed on a user’s desktop or mobile. This site should typically be your first port of call when evaluating site speed, as it belongs to the same organization that is responsible for ranking your website. As such, this adds a further level of legitimacy and behind the scenes knowledge when evaluating your site speed.

Insights not only measures the speed for both desktop and mobile, but also provides a breakdown of all the reasons why and where any issue to the site speed lies. Google Insights also delves deep into the images and checks for the potential reduction in file size. This platform also allocates a score to your website, allowing you to gauge any short term improvements and errors that you may have made, which you might not have realized otherwise. 

GT Metrix

GT Metrix is broadly similar to Google Insights, in that It more or less provides the same information and allocates a ranking score for your website. GT Metrix not only identifies any problems with your site, but also provides potential solutions to any detected speed issues that may be slowing you down. If you are looking for something outside the Google ecosystem, this is a site that you should consider getting familiar with. 

If you have checked your site speed and image size has been flagged up as an issue, where do you go from there?

WP-Optimize – the WordPress plugin that makes image optimization simple

WP-Optimize is one of the leading WordPress optimization plugins that is trusted by over a million users all over the world, with a 4.8 out of 5 ranking on Wp-Optimize focuses on the 3 main components when optimizing your site:

  1. Cleaning your database.
  2. Compressing your Images.
  3. Website caching.

While there are several overall different methods WP-Optimize can help with your site SEO, we will be focusing on the image compression aspect of the plugin for this blog. As mentioned above, image compression has long been an issue when it comes to site speed and just making these changes can have a big impact on loading times..

WP-Optimize uses a cutting edge ‘lossy technique’ to compress large image files ( high load times) to smaller compressed versions ( low load times). All of the compressed images are then directly saved to the site’s image library, where they are accessible and reversible to their original size (should you wish to change them back). 

With WP-Optimize, you can compress different image file formats including; JPG, PNG, GIF, BMP and TIFF. When deciding which images you should compress, it is recommended that Images up to the size of 5 MB should be optimized for faster loading speeds. You should also always remember to take a back-up of your site using UpdraftPlus before compressing any images or making any kind of change to your site, as potential issues may arise.

Additional features of WP-Optimize image optimization include:

Bulk compression

Allows you to select and compress all your images together. This can potentially save you a lot of time, as some sites can have hundreds, if not thousands of images that need compressing.

Intelligent, multi-pass lossy compression algorithm

The algorithm is created in such a way that it gives users twice the compression with a lot less loss of image quality.

Restore to the original image

While ‘Ctrl+Z’ can come in very handy in lots of online applications, it isn’t something that is usually found with an image optimization plugin. With WP-Optimize, you can revert back to the original images at any time. 

Auto compress 

Auto compress allows for all of your future images that will be uploaded to your website to be compressed automatically. This means you will not have to manually compress your images every time you upload a new one. Just select your compression settings and WP-Optimize will compress all of your images in real time as they are being uploaded onto the website.

Keep your EXIF data

If your website is related to high end photography (for example, a wedding photography site), the photographic data of your images can be incredibly important. With most image compression plugins, this data would be lost post compression. But with WP-Optimize, you can select to keep the original photographic EXIF data, even if you decide to compress a 2GB image to 500k. 


WP-Optimize is a great option that includes many different optimization factors in one convenient plugin. As an overall WordPress optimization plugin, WP-Optimize is as good as, if not better, than some of the ‘top’ paid plugins. The following chart shows how WP-Optimize compares to leading SEO plugins like WP-Rocket, W3 and WP Fastest Cache.

If you are looking to improve the loading speed of your site, compressing your images is a great way to start. Download WP-Optimize today and see the difference a good optimization plugin can make to your WordPress site.

The post Speed up your WordPress site using image optimization appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Why should you add two-factor authentications (2FA) to your WordPress site in 2021?

Once you have created your WordPress site, there are several factors you need to consider to keep your new site safe, whether it’s making sure your site is secure, you have regular backups scheduled or that your plugins are up to date.  

two factor authentication

If you are establishing your business and brand in the online world, it is important to ensure that your site is not vulnerable to hackers and cyber attacks.  

According to Security Magazine:  “Every day, there are over 2,200 cyberattacks – which is nearly one every 39  seconds.”

  • 43% of small businesses have no cybersecurity defense plan in place. 
  • 60% of small business owners do not think their business is a target for cybercriminals.
  • 74% of small business attacks were executed by external actors, as opposed to internal employees
  • 84% of small business attacks focused on the monetary gain with 8% focused on espionage and the remainder focused on hacking for fun or grudges
  • 22% of small businesses transitioned to remote work without a cybersecurity plan in place.

To minimize and limit your site’s vulnerability and risk of cyber-attacks, WordPress provides you with the ability to install and use two-factor authentication on your website.

In 2021, it was reported that only 57% of businesses around the world will use some form of online Multi-Factor Auth (MFA) as a method of authentication, designed to add an extra layer of protection on top of users’ login credentials. Of those employees using MFA, 95% reported using a software-based 2 factor authentication tool (such a mobile phone app), while 4% have a hardware-based 2 factor authentication solution, with roughly 1% using biometrics.

What is Two-Factor Authentication and how does it work? 

2FA refers to the process by which the person has to complete an extra level of login security verification to show that they have the necessary permissions required to access the site, documents, applications, sales information etc.

What are authentication factors?

While all sites will have at least one login process to access your account, there are several ways in which a user can be authenticated using an additional authentication method. Most authentication methods typically rely on the user’s knowledge factors, which includes login information such as traditional passwords. By adding an additional 2 factor authentication method, this forces the user to give extra information, which is either a possession factor or an inherence factor.

Knowledge Factor – This refers to the typical username/passwords and pin codes through which you can access a website account. No matter what type of password you select; including numbers,  words, symbols, uppercase, and lowercase, it will still be considered ‘basic security’. 

Personal/Possession Factor – This level of security factor refers to something that the user has in their possession. Examples of this can include your ID card, a previously answered security question, a one time password sent to your smart device, smartphone app verification etc. 

Biometric Factor – This can also be known as an inherence factor and is a security factor inherent in the user’s physical self. Typically, these are identified as unique personal physical characteristics such as fingerprint, facial, voice recognition or behavioral biometrics, including keystroke dynamics, gait or speech patterns.

While most two-factor authentication methods will only rely on the first three methods of authentication, there are systems that require further and more detailed security and will require further multifactor authentication (MFA), which requires two or more independent credentials for more secure login/authentication.

Location and Timing Factor – Some sites containing sensitive and personal information that you may try to log into, such as Facebook and Google, are  designed to notify the owner if they register a user attempting to log into your account from a suspicious location or at an unusual time. If this occurs, the sites send an email to the owners to notify them of the login discrepancies.This method can be enforced by limiting authentication attempts to known user specific devices (such a model of their mobile phone), or by tracking the geographic source of an authentication attempt based on the source Internet Protocol address or some other geolocation information, such as Global Positioning System (GPS) data, derived from the user’s mobile phone or other device.

By using these 2FA methods,  multiple layers of protection can protect your website from  phishing attacks by hackers and other cyber-security problems.

Is 2FA foolproof and can it be hacked? 

2FA can go a very long way in making your site secure. But no matter how thorough and safe your security login process is, nothing can make it 100% safe. Even recently, the popular crypto currency trading exchange Coinbase was hacked by actors who were able to bypass the user’s two factor authentication by cloning their mobile phones and gaining access to generated 2FA text message passcodes. 

2FA security is only as secure as its weakest component. The National Institute of Standards and Technology (NIST) has now discouraged the use of text messages in 2FA services, recommending instead that randomly generated time-limited tokens, owing to the risk of mobile phone cloning or malware that can intercept or redirect text messages.

Many large organizations, such as Google, Facebook, Uber, etc. have fallen victim to data hacks and have found their user information for sale on the dark web. Hackers’ tools and methods of attacks are becoming more sophisticated and harder to detect – incorporating phishing, password spraying, ransomware and malware attacks. While security teams are constantly working to improve online security, they have yet to put an end to the possibility. 

According to Dark Web Price Index 2020:

“Data samples of millions of people sold on the Dark Web range from  $25USD to $6000USD for premium accounts.” 

Typically, If the user has up-to-date security protocols, hackers will usually move on to a user that is more vulnerable and has failed to properly set up their additional security. 

Tips for minimizing the risk of cyberattacks:

Always have a backup of your site: By using UpdraftPlus, you can ensure that you will have a secure and safe backup of your WordPress website. Should the worst happen and your site is the victim of a hack, you can revert to the older version of your site and make changes to your login process to make your site more secure.

Ensure your site has a robust security system: While you can’t remove all of the risk of being hacked, you can minimize it. Ensure that you have a reputable two factor authentication login system for all users with back-end website access. Do not give unnecessary privileges to users if they do not require them, as they can be used to take control of the website. 

Update your plugins/themes/WordPress version: When hacking a WordPress site, this is the most common route of attack. Outdated plugins can be particularly vulnerable to hackers in giving them a route into your site.

Make sure users are aware of the risks: It is vital that everyone with a higher level of access to your site be smart and aware of potential security issues. This means being aware of potential hacking attempts via email phishing scams, that may appear genuine, but are attempts to retrieve user names/passwords and install malware onto your computer.

Strong passwords: While this may seem like the most obvious, it is also often the most overlooked. Having a strong and unpredictable password is often the first and best level of protection against most hacks. Passwords that are changed often and have a string of letters and special characters are very difficult to hack via forced password attacks. 

Ending Notes: 

The more you know, the better your chances are of preventing any kind of cyber attack before it has even begun. A mixture of 2FA, updated software and secure passwords and help prevent the vast majority of attempted hacks. But should the worst happen, always remember that you should have a recent backup copy of your site with UpdraftPlus, which should be stored in a secure remote storage location. 

If you have any suggestions or queries, feel free to comment below. We are  interested in hearing from you.

The post Why should you add two-factor authentications (2FA) to your WordPress site in 2021? appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.