WordPress recently released its first major update in more than four years yet concerns still remain about the platform’s perceived history of vulnerabilities.
And while WordPress has undoubtedly endured its share of hacks and attacks, it is far from alone.
In recent years, the entire Internet has become a giant target for cyber criminals. Because WordPress has the distinction of being one of the world’s most popular website creation tools, it simply makes up a larger portion of that particular bullseye. It’s really no different than the Honda Accord being one of the most commonly stolen cars in America for over a decade – there are a ton of them out there, so the odds are great that they will be stolen.
The truth is that WordPress’ vulnerabilities are preventable with attentive, proactive hosting.
AVOID THESE COMMON MISTAKES
Vulnerabilities to WordPress sites are typically the result of one or more of the following:
- When the site is hosted on the cheap
- When the CMS is not diligently updated with security releases
- When backups are not completed and cataloged
- When plugins are not meticulously monitored
PLUGINS AND THEMES ARE THE USUAL SUSPECTS
Plugins would appear to be the most significant gateway to hacks, and those hacks almost always involve defacement.
Defacement refers to vandalism that alters a page’s appearance for political purposes or bragging rights. It is easy to remedy, simply by restoring the prior day’s backup.
For this reason, backups should be made daily and cataloged. If a hack is identified a week after the fact, the full version can be swiftly restored to that from eight days prior.
Plugins that have been subject to vulnerabilities are regularly announced on bulletins. Authors are typically quick to release security updates.
WHAT YOU CAN DO
Occasionally, vulnerabilities are discovered, but the related plugins are abandoned and never updated. When this happens, the best course of action is to:
- Use as few plugins as possible.
- Use plugins that are widely supported – or even paid for – such as WooCommerce, Gravity Forms, TablePress, etc.
- Avoid plugins that provide remote control of many WordPress sites, such as ManageWP and InfiniteWP. These are highly targeted, and vulnerabilities are regularly found here.
- Limit cloning and staging plugins, such as Duplicator and WP Staging, to short-term use only, and delete them immediately after you are finished.
- Keep tabs on which plugins have been found to have flaws.
Themes are similar. Each theme has its own author, and thus is subject to abandonment. Additionally, if significant changes are made to a theme, updating it is not advisable.
The most secure route is creating a custom theme based on a custom design. Higher level “theming systems,” such as Divi by Elegant Themes, are also an option. Divi, for example, requires a paid license and boasts an excellent reputation.
STAGNATION LEADS TO HACKS
WordPress websites should never be stagnant. Ever.
Our clients have security updates applied immediately as they are released by WordPress. In most cases, websites are auto-updated on the same day of release.
We also like the intrusion prevention software Fail2Ban. If an access attempt fails three times, that IP address is banned for one hour. Multiple bans result in access restriction for one month. This includes attempts to access the administrative backend of a WordPress site.
We create daily backups and catalog site versions for six months. We also backup client websites to another storage location that is permanent and never deleted.
WordPress is a wonderful tool, but it is no panacea. And it certainly is not a set-it-and-forget-it proposition. Ask your digital marketing provider or web host what steps they are taking to deal with these never-ending web vulnerabilities: if they can’t answer satisfactorily – or worse, if they can’t answer at all – find a new one right away. There are many, many of us good firms out there.
The stakes are simply too large to tolerate complacency.