WordPress Security is something which always comes up, and to be honest there is more scaremonger than fact in what you hear. The security of any website is important and WordPress is built to make life easier for users/owners. As a result some feel this comes at a cost in security – It doesn’t have to!
WordPress is the most popular CMS system in the world and powers a ton of big ticket websites which shows it is a great bit of software. Like anything though, you just have to set it up right and have the correct checks in place whilst know what you’re doing with it.
In this article we will talk about some of the things which can affect the security of a website.
Why is WordPress targeted?
If you look at IT in general Microsoft comes under attacks more than Apple Mac’s simply because they have the volume of users. Hackers want to target the biggest system they can and they want the break the biggest market. Like Microsoft hackers then choose WordPress as their target. This said over the years we have personally encountered more hacked Joomla sites than WordPress. Was this down to the platform used – nope, it was down to the sites not being maintained.
These attacks usually come in the form of:
Backdoors – Access is granted via the command line via things like WP-Admin and FTP. Usually with website affecting one another like a chain.
Drive-by Downloads – Grotty code sitting on your site waiting to upload itself on some poor unsuspecting visitor.
Pharma Hacks – You will see this when Google says “This site may be compromised.” Never a good look.
It is SPAM which if you didn’t know stands for Stupid Pointless Annoying Messages. People using your site often just to make a few £££.
Malicious Redirects – A nasty redirect from your site sending someone to another place or to a site where bad things are waiting to be innocently installed on your visitor’s computer. It is a silent assassin and can wreak havoc on busy sites with lots of users all being duped.
BUT – Don’t Panic. It isn’t as bad as it sounds and with good planning, solid maintenance and your eye on the ball you are actually pretty safe – honestly. The web is full of scaremongering these days and WordPress gets more than its fair share of it. The fact so many reports come out about sites being hacked are because many of them are on www.wordpress.org a free hosting tool. Because it’s free, the software is free and people are doing it as and when they can this we feel is where most of the hacking reports come from.
It isn’t business grade stuff and this is why people unintentionally leave the back door open.
How do people get hacked?
There are a lot of ways to get hacked but most people get caught because they are naive. There is a lot you can do to protect a site when building it just with good planning and procedures. The obvious one is don’t have your Username as Admin and your Password as Password. You will be amazed how often we still see this – if you are guilty please change it now!
People get hacked due to insecure plugins being installed, not updating core WordPress files and by having poor quality hosting. A good host (costs money) but they will deliver a great service to you and help in the battle to keep sites safe.
Any good host from time to time will ALSO come under attack but it is about how they deal with that which matters. Ours does very well.
It’s funny as the amount of times we speak to people without a backup or they have one but don’t know if it ever works, this is a real worry. You need a number of backups ready to use at any one time to ensure your backup from last week isn’t also corrupt!
There is no point going back to a corrupt backup.
At PC Futures we have a 3 tier back up system taking multiple backups to give us that safe restore point if we ever needed one.
A back up IS the most important thing in your site. It just gives you peace of mind and chances are you won’t ever need it, but if you do then you will be pleased you have a thorough one in place.
Access – Who and Why?
We’ve seen WordPress sites which we’ve been asked to look after and there are about 10 people with admin rights to the site. You need to consider who should have access to the site, why, and if they REALLY need the level they have (if any). WordPress is all about making a site easy to use for everyone BUT this is at the root cause of the problem. You can upload or get the maintainer of the website to upload things – this gives you greater protection again. One user account used by one person.
The more people with access the more change of something going wrong and chances are it will be by accident. Chances are most of them are just adding content and if they decide to install a nice plugin (to help the site) that a friend or blog has told them about – this is where the trouble starts.
Hosting is an area where you get what you pay for. We use SSD (super-fast) business grade hosting and the level of support we get is excellent as we spend a lot on it.
This gives us peace of mind and enables us to get more out of it. Google and humans like fast sites as well which is another great reason to have us manage and host your site.
Turn this off, whilst in theory it is nice but the update process has to be a manual one. The reason for this is you don’t know what knock on effect this can have. For us we take backups before we do big updates and do them one at a time.
The reason for this is often an update for a plugin or WordPress itself can come out and cause issues with other parts of the site. The problem is you won’t know what issues you have until the update is run and by then it could be too late.
So, make sure you have a backup.
Manually Control Comments
People want backlinks and to get some free traffic referrals to their sites – WordPress sites get a lot of these requests and it’s to be expected.
By not manually approving these it makes life so much easier. Once you approve a suspect one then welcome to a list where you will be bombarded all the time.
Do check them as mostly you can spot the dodgy looking ones and if in doubt ask.
Two Step Authentication
If needed we can introduce two step authentication for high traffic or ecommerce sites as well as improving user control. A two step authentication process protects the site to a much higher level and makes it very hard for hackers to gain control.
If you would like to know more on this please contact us through our site or call 01473 527423.
A great feature of most CMS systems including WordPress is the ability to add pre-built 3rd party plugins. This keeps costs down and lets people do more with their own websites often without needing to know how to code.
The downside of this is understanding what on earth you are actually putting into your site. Some plugins are notoriously badly put in place and actually can cause security vulnerabilities in a site.
Some have updates frequently and can it is important to know what each one can affect and when to run the update.
General Site Maintenance
Invest some solid time in maintaining your site OR get someone who knows (like us) to do it for you. If you don’t look after a car or bicycle it will go wrong quicker and it is the same with a website. Sites become compromised due to people not giving them the time they deserve.
If your site is an E-Commerce site or ranks high then you MUST give it the time it deserves or you risk losing it.
Ok, so if you have a WordPress site already or you are thinking of having one built but you don’t want to look after it on a day to day basis let us know.
WordPress is dynamic software, frankly it is brilliant, but it can become unsafe if people don’t know what they are doing. It can be secure one minute and miss a few updates and become vulnerable the next day – as can ANY site.
At PC Futures we have the experience to manage sites and the knowledge to protect an existing site. If you want to get more from your online presence whilst protecting your business please contact us on 01473 527423 or via the contact us page.
We know WordPress and we have an outstanding security record with our sites, call us to find out how good it is. Also, if you think your WordPress website has been hacked or you know it has talk to us, we can help.