WordPress Security: Important Things To Know
This is important security information about your WordPress website.
There has been a recent increase in the past 6 months of global cyber attacks, especially against websites built with open source software such as WordPress, Joomla and Drupal. In addition, there have been several major new vulnerabilities discovered in popular WordPress plug-ins.
The reason why more than 80 million websites in the world are built on WordPress is because it is inexpensive, scalable, robust and easy to use. WordPress allows non-technical people to make changes to their website without having to hire a developer and have an ongoing (and expensive) website contract. WordPress allows you to have control of your website.
But with the freedom of having total control of your website also comes responsibility. Unless you have a monthly contract or website care plan with a web development firm, your website is your responsibility, and there are steps that you need to take regularly to keep your website as secure as possible.
Watch This Video from Google About Why Hacks Happen:
Why Would Anyone Want to Hack Into Your Website?
WordPress website security is about risk reduction not risk elimination. No matter how many security measures are taken, there is no such thing as a 100% secure website. Almost all the tools we employ when building your website aim to reduce your overall risk, whether it’s limiting failed login attempts or setting up the appropriate file permissions. But if the security of Target, Citibank, Sony and other multi-billion dollar corporations’ websites and IT structures can be breached, this should be proof that website and cyber security is an ongoing arms race.
It’s obvious why someone would want to get into Target’s credit card system, but why would anyone want to hack into your humble small business website? The vast majority of website hacks are automated attacks by robots (not targeted attacks by hackers or terrorists). Bad bots constantly scan the internet and use password-guessing software to try to get into to people’s websites and accounts. If your passwords are strong, this greatly reduces your risk of these “brute force attacks” right off the bat. The robots can also identify vulnerabilities in your content management software, plug-ins, extensions and even your web host’s servers.
Most websites that get hacked are coincidental commercial hacks for economic gain, for example when an unscrupulous company is looking to get more backlinks to their website to help them get sales and gain exposure in search engines. They are not usually targeting your website specifically, but rather trying to use robots to get hundreds or thousands of backlinks from random websites to their website for economic gain.
The damage done by most commercial hacks is minimal if you have a backup of your website, but it can cause downtime and cost money to have a developer restore your website. Most websites don’t have anything of value, however if you have an e-commerce website or a website that collects sensitive information of any kind, you need to be even more cautious and take your website security very seriously.
What Can You Do To Make Your Website More Secure?
1) Sign Up for Sitelock
We have recently become aware of a product called Sitelock, offered via GoDaddy. This software scans your website for malware, vulnerabilities and suspicious activity.
We recommend the Professional Plan ($50/year) because it offers malware removal for certain types of attacks, which is very valuable. For a $35 one-time setup fee, we can help you set up Sitelock, or your host may set this up for you for free. Note: You can set Sitelock up with any hosting provider (you do not need to have a GoDaddy hosting account).
2) Keep WordPress Updated
You’ve likely logged into your WordPress site and seen big notifications saying you should upgrade WordPress now. You might also notice a circle near your plug-ins menu item with a little number in it, which notifies you that you have plugins ready for an update. The WordPress software, themes and the third-party plug-ins are constantly being updated. Updates may bring exciting new features that make your site better or easier to use. But most important, the updates bring important security tweaks.
You can updated your WordPress and plug-ins from the admin dashboard. Most of the time this works. But for the safest possible updating with no downtime, hire a professional to help.
Read about updating WordPress yourself…
Read about how the pros manually update WordPress
We normally recommend having your WordPress updated by a professional at least twice a year. Because of the recent security concerns, we recommend that everyone with a WordPress website get their websites updated now.
If you have a very simple website, or if your website has been built in the last few months or if you recently had updates done or a site migrated, you may be able to do the updates yourself with little risk. For most websites, however, we recommend hiring a WordPress developer to help you with these updates.
3) Scan Your Own Computer
If you have inadvertently downloaded spyware or malware onto your computer, your website and/or accounts could be hacked into. It’s important to have antivirus software on your computer and run regular scans. Read PC Magazine’s review of several free antivirus scanning software.
Additional information and resources about WordPress security:
Additional resources about updating WordPress: