As pretty much the most popular website creation and hosting platform on the planet, with around 75 million sites using WordPress in one form or another, there’s a lot of focus on whether or not it’s really secure enough. A quick google for “WordPress Security” brings up a raft of plugins and blogs on the topic showing that it is clearly a serious concern.
Nowhere is really safe
There is no such thing as a totally safe website. Just like there’s no such thing as a completely uncrashable car. There’s pretty much only one way to ensure that hackers can’t break your system – to not connect it to the internet – which sort of defeats the point of having a website in the first place….
WordPress is like the Wild West
If a system claims never to have been hacked then they’re either lying or so insignificant that no one has bothered to put the effort into finding their weaknesses.
Everyone (well, website hackers) are jumping on the waggons and heading into the hills in the hope of striking gold. They know that with 75 million sites at risk, if they find the weakness they’ll find the gold. Of course with so many prospectors sharing information on what does and doesn’t work sooner or later someone will strike gold.
And don’t think that being small and insignificant will mean you’ll be passed by. Although hacks where thousands or millions of credit card details are leaked make the news, by far the most likely website to be successfully hacked is the small to medium enterprise.
Hackers aren’t interested in the website itself. They’re interested in the information associated with the website. With your email server which they can hijack to send spam emails phishing for sensitive information. To sneak links into your pages that boost the hacker’s SERP position. Or to use your site to hack another. Or to make your users install malware…
If it’s that bad should I look elsewhere?
You’ve probably been completely put off the idea of using WordPress by now with that image of nefarious hackers ready to strike at the first sign of a bug in the WordPress code. But as we mentioned earlier – no system is safe. Choose another content management system by all means but you’ll still have the same security headaches.
WordPress is popular for a reason. It’s easy to use and you can get plugins for just about any feature you care to add on. Dismiss WordPress because it doesn’t provide you with the particular functionality you want, but don’t dismiss it on the basis of security which is something you need to worry about wherever you go on.
Tend your fences
Going back to the Wild West analogy you need to tend your fences to keep your property safe. And that’s as true when they’re imaginary cyberfences securing your website data as if they’re wooden ones keeping out the wolves.
Security plugins are your fences
In fact one of the most popular security plugin is actually called Wordfence. It has a firewall to detect malicious traffic, a blacklist to prevent connections from known bad sites, is deeply integrated with WordPress, ensuring that it cannot be bypassed, and stops brute force attacks such as password guessing.
Other plugins provide similar functionality – but it is vitally important that you do your research when installing them. A fence is only as good as the fence builder – and if they hide a gap so they can come back later and hack you it’s as good as useless.
Only install plugins from vendors you trust
Not just your security plugins. All plugins should be considered security risks unless proven otherwise. In fact, avoid installing themes and extensions from developers you can’t verify too. Any one of these could be sneaking a hole into your fence, or throwing a key to the burglers.
Use a strong password
We really really really shouldn’t need to say this nowadays but use a strong password! Seriously “password” and “123456” are not passwords – they’re the first things a hacker will try. And there are an alarming number of websites where default and simple passwords will get you behind-the-scenes-access-all-areas passes.
A good password might be a nuisance to remember but it will slow down brute force attempts to determine it. The longer the better. The more random the better. If you have to write it down to remember it then do so as a hacker is highly unlikely to break into your office to get your credentials (but do remember not to do anything stupid like leaving it on your desk)
Keep up to date
You know how we mentioned about all the hackers searching for weaknesses to exploit? As soon as they find one the developers at WordPress or of plugins need to create an update to fix the hole – just like you nailing a few planks over a gap in your fence. So if you are a bit slow to update your software you’re leaving that gap open – ready for a hacker to exploit.
If disaster strikes who are you going to call?
And what are you going to say to them when they ask where the backup is? Sooner or later the hackers will find that hole in your fence. They’ll find that weakness and push it before you know about it (perhaps even before the developers know about it – someone has to be the first site they successfully break into!). Sometimes mistakes will happen and you’ll “leave the gate open”.
When you find a security breach the first step is to take the website back to a point before it was hacked – and for that you need a backup. Make sure you implement a regular backup routine, so you can be confident of getting your website up and running and secured as quickly as possible.
Keeping a WordPress site secure is no harder than any other content management system. Just make sure you keep tending those fences!