How to secure student data in WordPress (FERPA and GDPR compliance)

If your educational institution has a website that collects student data, protecting that data is both a legal and ethical responsibility.

Beyond maintaining trust with students and their families, compliance with data protection laws is mandatory in many jurisdictions. Two key regulations to consider are:

• FERPA (Family Educational Rights and Privacy Act). This U.S regulation includes compliance requirements such as restricting access to student data to only authorized individuals and obtaining written consent before sharing student data. The U.S. Department of Education has a dedicated website for student privacy that contains many resources about FERPA.
• GDPR (General Data Protection Regulation). This European regulation includes a number of compliance requirements such as obtaining clear consent for data collection, ensuring data portability, implementing “privacy by design” principles, and notifying students and authorities promptly if there’s a data breach. We have an entire post about WordPress GDPR compliance.

This post covers some practical ways to secure student data on educational websites built with WordPress. These include technical tips, such as encrypting student data, as well as other important strategies, such as educating your staff about data security.

Let’s get into it…

Use a secure hosting provider

A secure hosting provider is one of the most effective ways to protect student data on your WordPress site. A well-configured host helps prevent unauthorized access, data breaches, and downtime.

For example, Kinsta offers managed hosting for WordPress for educational institutions with built-in security features to help protect your organization’s data, including:

• Secure infrastructure. Kinsta uses secure infrastructure powered by Google Cloud Platform at the origin and Cloudflare at the network edge.
• Free SSL certificate. Kinsta offers free SSL certificates, which is important because enabling an SSL certificate allows you to encrypt data as it passes between your website’s server and students’ browsers.
• Firewalls. All sites are protected by two enterprise-level firewalls. Cloudflare’s firewall protects your site at the network edge, preventing many attacks from reaching your site’s origin server. Your site is also protected by Google Cloud Platform’s IP-based protection firewall.
• Automatic backups. Kinsta automatically backs up your site daily on all plans and stores your backups in a secure location. You can also increase the frequency of these automatic backups, up to hourly backups.
• Two-factor authentication (2FA). You can use 2FA to secure access to your hosting account.
• 24/7 support. You can access 24/7 live chat support if you ever need help with anything.

No matter which hosting provider you choose, make sure that you’re fully taking advantage of all of its security functionality.

Encrypt data and backups

Encryption can help protect student data when it’s in transit and at rest, ensuring that sensitive information remains secure from unauthorized access.

To start, it’s essential to use an SSL/TLS certificate and enable HTTPS on your WordPress website. This encrypts data as it moves between students’ browsers and your WordPress site, preventing interception by third parties.

If you’re storing student data, you may also need to encrypt data at rest. The approach depends on where the data is stored:

• If data is stored in your WordPress database, consider using a database with built-in encryption capabilities. For example, MariaDB supports Transparent Data Encryption (TDE) to encrypt data at rest.
• If you’re using an external database, check whether it supports encryption and how to configure it properly.

It’s also important to encrypt any backups that include student data, as these could be another vector for an unauthorized actor to access student data.

If you use Kinsta, you don’t need to worry about this, as backups are created at the server level and stored securely in Google Cloud Storage on the Google Cloud Platform (GCP). However, if you prefer more flexibility, the external backups add-on allows you to store backups in your own external object storage such as Amazon S3, where you can apply encryption using the provider’s tools.

Many WordPress backup plugins also include features that let you encrypt your WordPress backups. For example, BackWPup Pro has a special encryption feature that you can use to secure student data in backups.

Educate staff and admins about data security

Securing student data is a team effort. Even if you set everything up perfectly at a technical level, a simple human error, such as reusing a weak password or mishandling sensitive data, can lead to security breaches.

To prevent these risks, it’s important to educate staff and admins on their responsibilities when handling student data.

Some of the topics that you should cover include the following:

• Password policies. Require staff to use unique, strong passwords for their accounts. You can also encourage them to use a password manager like Bitwarden or LastPass.
• Data handling practices. Authorized staff should be trained on securely handling student data. For example, encrypting student data on your server won’t help if staff share unencrypted files via email or other unsecured channels.
• Phishing prevention. You should explain common types of phishing attacks and how your staff can avoid issues. For example, by not clicking on links in emails, never sharing OTP for two-factor authentication, etc. The UK government has a great page on how to protect your organization from phishing attacks.

Restrict access to your site and data

Along with educating staff and admins about proper data handling, you should restrict who can access student data. In general, having fewer people with access to student data makes it easier to secure and lessens the chance of human error leading to a data breach.

Beyond just generally improving data security, FERPA also explicitly requires you to limit access to student data to only authorized individuals.

On WordPress, you can use the core WordPress user role system to restrict the access each user has. WordPress comes with five built-in user roles (or six if you use use WordPress multisite), but you’re free to create your own roles or edit the default roles.

Each role comes with a pre-defined set of “capabilities,” which control individual actions/access for users. We cover these topics in our detailed guide to WordPress roles and capabilities.

To more easily manage these roles and capabilities, you can use the User Role Editor plugin.

It offers a simple interface where you can enable or disable specific capabilities just by checking a box. You can edit capabilities for the default WordPress user roles or create your own roles.

You can then go further by implementing two-factor authentication for all users who have access to sensitive data. You can set this up by using a plugin like Wordfence Login Security, which allows you to require two-factor authentication for specific user roles on your site.

If you require two-factor authentication for any user role that has access to student data (along with enforcing strong passwords), you can greatly reduce the chance that an unauthorized person gets access.

If you host your website with Kinsta, we also offer strong user role management for people with access to your hosting account. You can assign users to specific websites, enforce two-factor authentication, and more.

Collect data responsibly (and minimize data collection)

In addition to securing the student data that you have, it’s also important to be mindful of how you collect student data in the first place.

To start, you should minimize the data that you collect. Try to think about why you’re collecting each piece of data and only collect data that’s actually necessary for the operation of your educational institution.

Then, when you collect that data, make sure that you’re doing it responsibly.

You should have consent forms that collect explicit consent for all of the student data that you collect.

You should also have a thorough privacy policy that explains the following:

• What data you’re collecting.
• Why you’re collecting that data.
• How you’re storing that data.

To assist with creating and displaying a privacy policy, you can use a WordPress plugin like Complianz.

It’s also essential that you install an SSL/TLS certificate and enable HTTPS so that any data you collect via your site is encrypted when it passes from the user’s browser to your server. Again, Kinsta’s WordPress hosting offers free SSL/TLS certificates.

Finally, you should implement data retention policies that dictate how long you store data, and you should regularly delete data that’s no longer needed.

For example, if you only need certain information about active students, it doesn’t make sense to continue storing that data once a student graduates. A data retention policy can ensure that you’re properly deleting data when it’s no longer needed.

To automate some of these data retention policies, you can use a WordPress plugin like Advanced Database Cleaner. It allows you to clean out certain data from your database on a schedule that you set (or you can just run it manually when needed).

Secure all file uploads and permissions

To protect your site and data from malicious files, it’s also important to secure file uploads to your site. This can prevent the intentional or unintentional uploading of a malicious file to your server that has the potential to cause a data breach.

To start, you should restrict which file types are allowed to be uploaded to your server. Block all potentially malicious file types and only allow the specific types of files that are needed for your site. On WordPress, you can control allowed file types by using a free plugin like File Upload Types.

You should also tightly control which users are allowed to upload files to your site. As we discussed earlier, you can do this using the WordPress role system. More specifically, you can use the upload_files capability to control which user roles have the ability to upload files.

It’s also important to configure your server to limit access to uploaded files, which you can do with .htaccess rules or nginx.conf. You should also make sure that you set the proper file permissions to control access to those files on your server.

Audit and monitor access to student data

It’s also essential to monitor your student data and audit access to student data.

For example, if you want to see who has been viewing student data, any modifications to student data, etc. This can help you flag potential issues and ensure that your staff members are following your data storage and handling policies.

To track WordPress users who are viewing or modifying student data, you can use a plugin like WP Activity Log. In addition to letting you view a log of actions inside your WordPress dashboard, you can also set up alerts via email or SMS, which can help you quickly detect any suspicious activity.

Beyond logging activity in WordPress, you should also conduct regular audits to review database entries and user access logs.

Both MySQL and MariaDB include logging tools that you can use, though you might need to enable them:

• MariaDB log documentation
• MySQL log documentation

Only use trusted WordPress plugins

The wide array of WordPress plugins that are available is one of the things that makes WordPress so great for education websites.

However, each plugin that you install on your site also has the potential to cause issues with data security. For this reason, it’s essential to thoroughly vet each plugin and only use plugins from high-quality, trusted WordPress developers.

Before installing any plugin, make sure you’re considering the following factors:

• Developer support and updates. Make sure that the developer is still actively supporting the plugin and releasing new updates. Pay special attention to any security updates. Security issues happen even with the best software, but developers move to quickly release a security patch and also provide information about the vulnerability.
• User reviews. These can be a great window into other users’ experiences and the overall quality of the plugin.
• Activate installations. You should generally be wary of plugins with low active install counts. There can be some exceptions, though. For example, if a plugin solves a very niche issue but still comes from a trusted developer, you shouldn’t automatically rule it out.

Beyond looking at the quality of the plugin and developer, you should also assess whether the plugin is designed in a way that’s compatible with FERPA, GDPR, and other relevant guidelines.

For example, even if a plugin comes from a high-quality developer with a great track record, it still might not be a good fit if the plugin inherently collects or stores data in a way that doesn’t comply with FERPA or GDPR.

Promptly update WordPress, plugins, and themes

Keeping your WordPress core, plugins, and themes up to date is crucial for maintaining site security. Outdated software can expose vulnerabilities that malicious actors may exploit.

According to a 2023 security report by Sucuri, 39.1% of hacked CMS websites were running outdated software at the time of infection. Additionally, in 2023, plugins were responsible for 97% of all new security vulnerabilities in the WordPress ecosystem.

To mitigate these risks, it’s essential to promptly apply all security updates to the WordPress core, plugins, and themes. Regular updates ensure that known vulnerabilities are patched, reducing the risk of exploitation.

If you’re worried about software updates causing issues on your site, you can test them on a staging site before applying them to your live website. If you host your site with Kinsta, you can easily create a staging site and push some or all of the changes live after you’ve tested them.

Alternatively, Kinsta also offers an Automatic Updates add-on to make applying updates even easier:

• Scheduled updates for plugins and themes. It does this for all plugins and themes on the days you choose, ensuring your site stays current.
• Automatic backups before updates. It automatically takes a new backup before applying any updates so that you have a clean restore point.
• Visual regression testing. This means comparing your site’s appearance before and after an update. If any issues are detected, it automatically rolls back to the restore point.

You can also consider a plugin like Easy Updates Manager. It can help in a few different ways:

• Email notifications for available updates. You can receive an email when a new plugin update is available, which is helpful if you don’t check the WordPress dashboard every day.
• Manage automatic updates. If you want to enable automatic plugin updates, you get tools to manage that, such as scheduling when to apply updates.
• Logging. You can view logs of updates that have been applied.
• Automatic backups. If you use the developer’s UpdraftPlus plugin, it can automatically back up your site before updating plugins.

Have a data breach protocol ready to go

If you’re following all of the tips above, you should be in a great position to secure your student data.

However, it’s still important to have a plan for what happens if something goes wrong, which is why you should have a predetermined protocol for any data breaches.

To start, you should have a notification plan for how to communicate any data breaches:

• Plan for how to notify individual users who are affected. You need to do this promptly. For example, the GDPR requires you to notify users within 72 hours.
• Look up which authorities you need to notify of data breaches and how you can get in contact with them.

Many WordPress GDPR compliance plugins can help you with reporting data breaches to users who have been affected. For example, the Complianz plugin has a Data Leak Report Wizard that can help you report and manage data leaks. Some other plugins also offer similar tools.

In addition to meeting reporting requirements, you also want to have a plan in place for restoring your website. For example, if there’s a website breach, you might want to restore to the most recent clean backup.

You should also periodically test restoring a backup to a staging environment, as this gives you real-world experience so that you can restore your backup when the pressure is on.

If you host with Kinsta, you can easily restore a backup to either your staging or production environment just by clicking a button.

Summary

Regardless of how you build your educational institution’s website, it’s important to secure student data to comply with laws like the U.S.’s FERPA and Europe’s GDPR.

If you use WordPress, you can leverage core WordPress features and WordPress’s extensive plugin library to help you secure student data and comply with legislation.

If you combine the proper WordPress setup and user education with reliable, secure web hosting, you can be confident that your student’s data stay is safe.

To learn how Kinsta’s WordPress hosting can help you create a secure foundation for your educational institution’s website, check out Kinsta’s education hosting here.

The post How to secure student data in WordPress (FERPA and GDPR compliance) appeared first on Kinsta®.