WordPress powers close to one quarter of the internet. One in every four websites uses this great piece of software. Sit back and think about the scale of that for a minute. How often are you browsing around sites running WordPress without even realizing it?
Now let the dark side of you take over. We all have one–just give in, just for a minute. Imagine if you found a way into ANY WordPress site. Now put those thoughts together: You are evil, one in every four websites is powered by WordPress, and you found a way into all of them. Imagine the possibilities!
Ok, now come back to the good side. Forget you ever considered hacking into your friend’s blog to say extra nice things about your own blog, but don’t forget what you learned. WordPress has a big target on its back.
As something grows to power, it is natural for it to become a target. When you are a target, though, you need to be more careful. The President has the secret service to protect him. You need to ask yourself: Are you doing your duty as the secret service of your website? If you are like most WordPress site owners, probably not. That is why you hear about someone’s WordPress site being hacked on a fairly regular basis. Here are some simple rules on what you can do to keep that site of yours safe.
You are going to be hacked someday; it is inevitable. Prevention is great, but have a plan in place on how to get your site healthy again after someone cruelly went and broke into it. The biggest piece of recouping is to make sure you always have recent backups of your site. Many plugins are available to automatically make backups, and even send these backups “offsite” to services like Amazon S3 or Dropbox.
One great resource for helping with this is Sucuri. Just like their own homepage says: They secure your site, so you don’t have to. Think of it as an insurance policy for your website; they’ve got your back when things go awry! Sucuri monitors your site to help you detect any issues, and if there are any, will clean them up for you! If your site is already infected when you sign up, they will clean that up as well. (And psst…if you didn’t already know, all Maintainn clients also receive a subscription to Sucuri!)
Think about your usernames and passwords
The most common way an attacker is going to try to get into your website is by “brute force.” The first image in your head may have been a big guy trying to smash your site, but as you may have suspected, this is a bit more digital than that. For quite awhile, every WordPress install’s first user’s username was “admin.” If someone wanted to guess the username and password of your website…well, they just got half way there. Now all they need is a password! So what an attacker will do is set up a program to just keep trying to login to your website with many password variations.
Your password likely is based on words from the dictionary, so take a guess where the passwords variations being used to attack your site usually come from. Yup–that very same dictionary. Try doing this to your own site; take a minute and try to login to your site with the wrong password a few times. Does anything try to stop you? After ten tries, can you still try to login? You probably got bored of this quickly, but attackers are not doing this by hand–they have programs running and doing it on their behalf.
You may now be wondering, “But why would someone want access to my site?” The thing is that you don’t even have to be targeted directly; sometimes these programs will just pull from lists of known WordPress sites and try to get into any of them. Attacks are not always to bring your site down but sometimes used to spam the internet. No one cares what your site is about or who runs it; they just care about taking it over, no matter how big or small it may be.
You can protect yourself from these in a few ways:
- A simple plugin like Limit Login Attempts will block attackers from being able to keep trying to login to your site. You can get the same type of protection from “Web Application Firewalls” (WAF).
- Sucuri offers this as a service designed from the security side of things, but it does have a monthly cost.
- CloudFlare also can be used to secure your site from these attacks (among many others).
Keep up to date
Not all WordPress, plugin, and theme updates are to add great new features. Some are very serious security fixes. One such example is one plugin that runs on many sites: WordPress SEO by Yoast. A vulnerability was recently found (and patched) which could have allowed any would be invaders to attack your site by getting site owners to click carefully crafted links. The link would even look harmless enough because it would be to your own website! Little did you know that the link included code that would inject itself into your database.
In a case like this, it was reported and patched quickly, and (hopefully) most sites are running the patched up-to-date version.
You can be sure that attackers are not going to stop attacking WordPress, and there are a lot of them out there. You do not need to go study to become a security expert to keep your site safe, but you do need to be sure you pay attention to what’s going on. If you see something strange, don’t just ignore it. If you get a weird email from someone with a link to your own site, instead of clicking it, look at the link and try to see where it leads to and go browse it yourself. When it comes to third parties and your website, be a little more careful and take that extra half a second to think before you click.
Beware of Plugins and Themes
Themes are great–they make your site look nice. Plugins are great too–they make your site do cool things. Be wary of the sources of these, though. Remember back to that time you wanted to make that small little change to your site, so you Googled how to do it and just copy/pasted code from some random site into your functions.php file?
Would you ever just walk onto a busy street and yell out “Can anyone give me a piece of candy?!” and just eat whatever the first random stranger gives you?
Compare these two situations. They are not so different from each other. Why would you take random code from a stranger, but not a piece of candy? The same goes for plugins and themes; while they all seem great at first you never know what may be lurking inside.
This is actually a two-pronged issue. What I was eluding to before was someone may outright give you bad code to begin with that will do nasty things to your site. More people are learning to watch out for this kind of thing. What about the innocent code that just was not build securely? You copy/pasted insecure code from that random website that worked great! It just happened to have a major security flaw. Or you asked your neighbor’s friend’s nephew to make something for your site, and he left the door wide open for attackers.
This is not to say that you need to pay exorbitant amounts to work on your site, but know what is being done to your site and try your best to make sure the person doing it is doing it right.
I have asked you a lot of questions as you read through this post. My hope is it got you thinking. Think before you click. Question everything you do on your site, and make sure you know how to answer, “Is this secure?” And when you don’t have the answer, that’s what you have WordPress experts for–like us!