Avoiding GIANT WordPress Disasters with WebCare Security
An introduction to WordPress Security for the savvy site owner, Part 1
A few months ago, I received an email from a friend recounting how not one, but three of his websites had crashed, causing him a colossal amount of suffering, including over $1000 to fix the sites, 3 full days of downtime, and 24 excruciating hours figuring out the problem with the help of tech support and his web developer waaay over in India.
That’s 24 HOURS–not minutes, folks.
Now, the out of pocket costs to put a Humpty Dumpty website back together again, while significant, can pale in relationship to the loss of business due to a security breech. These days, your website is the front door to your business, and sometimes it’s your entire business. When it’s down, you’re not making sales, plain and simple. Customers looking for what you provide will go somewhere else, and they may never come back. You’ll never know who tried to hit your site whilst you were running around with your hair on fire.
Hair on Fire + Business is not healthy.
Most of us remember a time in the not so distant past when slapping a website up on a server and forgetting about it worked. Not only will this type of thinking lead to security risks, your website won’t be as efficient as it should be to bring in business. Even the simplest WordPress site these days has multiple layers of software and functionality. Pair this with the stark reality that it only takes 30 days for hackers to identify your website as a target and you’re asking for trouble.
Are you okay? You look a little pale…
My heart sank when I heard my friend’s news because I’m pretty sure that if he’d had a WebCare Plan, chances are the attack would not have been successful. I know exactly what it feels like to wake up to a hacked website and have the battle scars to prove it. About five years ago, my online portfolio just up and disappeared. My hosting company at the time said, “Wow, that’s too bad.” After restoring a small portion of it, they said, “Wow, I guess you’ll have to rebuild most of it!” Followed by, “Have a nice day!”
I’ve been paying close attention to WordPress security ever since.
Years ago, an art director I worked with delicately summed it up this way, “Getting hacked is like waking up one morning to discover a really big giant standing over your bed with an impending case of diarrhea.”
Some art directors, like the one above, have disturbing yet creative senses of humor conditioned by decades of dealing with untold technological nightmares–which is also why they are among the very few of our species who actually know how to spell diarrhea.
So to wrap up this introduction, just like no one wants a woozy giant standing over their bed, no one (that would be you) wants to experience the agony of having their website hacked.
So, is it possible to prevent hacks from happening?
This is a spectacular question–one I wish more clients would ask. The truth is, the web development industry has done a less than spectacular job of educating the public about online security. It’s a scary subject that appears in national headlines on almost a weekly basis.
Many clients who are new to WordPress assume their designer or hosting companies will take care of any problem that arises. I can’t stress the importance of ASKING this question ahead of time because more often than not, they don’t. Why? Because the need for security has dramatically escalated over the last couple of years and it takes time to set up, update and monitor a website properly.
In this first of a sequence of articles, I will tackle the basic elements of WordPress Security in a concerted effort to convey the starkly obvious importance of having a security plan in place for your own website. After all, you paid good money to have your website created, and it really doesn’t make sense to take unnecessary risks. Unless, of course, you resemble this fella.
So with no further adieu, on with this week’s topic!
POINTS of ENTRY for WordPress HACKS
So where, precisely, do hackers gain entry to your site?
Your WordPress site can be thought of as chain made up of links comprised of technology, software and people. Each has potential weaknesses that, if left unattended, can lead to big headaches down the road (remember the Giant with a bottle of Pepto Bismal). I’ve found that understanding these points of entry help form a better picture in the minds of my clients, making it clear that the quest to find one perfect, automated solution won’t address every point. Remember, a chain is only as strong as its weakest link.
There are a variety of access points a WordPress hacker can get through, including, but not limited to, these basic areas:
- Your computer
- Passwords/login panel
- Hosting service
Most everyone knows their computers can get infected–with what’s called a “trojan horse”, for instance. Installing (and using) a virus scanner on your hard drive on a routine basis can route these suckers out. But…did you know your website can get infected via a virus on your hard drive?
This came as a shock to me when I first heard about it, making it very clear that no one has 100% control over the security of any website. Neither your web designer nor hosting company can monitor your hard drive (nor would you want us to) so it’s up to YOU to take preventative measures to minimize the potential for this kind of an attack.
Install virus scanning software and be very careful when clicking on email links from unknown sources. Also, never download software (especially FREE software) from a website or author who is not recognized and trusted source.
Believe it or not, at one point, the most prevalent password in use was… password. Doh! Thankfully, the more recent versions of WordPress won’t allow us to commit such flagrant acts of self-sabotage, but it’s in your best interest to get into the habit of creating remarkably impossible-to-remember passwords. I recommend using an online password generator such as LastPass, and not just for your WordPress credentials.
Where are passwords used? On the WordPress login panel, which is a HUGE target for what are called Brute Force Attacks, which I’ll write about in a later post in this series.
Software – PLEASE keep it up to date!
There’s a very good reason why Apple & Microsoft strongly advise users to update their operating system software (OS). Along with improved speed, power and functionality, the most up-to-date OS will be the most secure. The same is true for your WordPress site, which is typcially comprised of three types of software:
WordPress is a bit like the operating system on your hard drive. WordPress issues frequent updates each year, some of which are labeled as *urgent* security patches. Urgent updates should be issued without delay and can be set to update automatically.
WordPress sites have second level of software that sits on top of the core software called a theme. Themes contain predefined layouts, designs and styles that give it visual character. Pre-designed themes are widely available from numerous authors which vary greatly in quality and price. Themes can be used straight out of the box for a quick and dirty website or they can be highly customized by a web professional with satisfying results.
It’s imperative to keep your theme software up-to-date. It’s also very bad news if the author of your theme moves on to other things or goes out of business, which happens frequently. Because ALL the software on your site needs to be maintained, updating the core software alone can still leave you wide open to known software vulnerabilities that hackers actively search the internet for. This is why Clearly Presentable only works with themes authored by companies with a long track record and proven attention to security.
Plugins & Extensions
So, you’d think we’d be done by now, but there is yet another layer of software that plugs into or extends the functionality of the theme you are using. Many premium themes come with plugins pre-installed, but most web designers will need additional plugins to satisfy the needs of their clients.
Plugins come in all sorts of shapes and sizes: making Stripe payments possible, allowing for highly customized forms, adding social share or special display capability, and, you guessed it, adding professional-grade security to protect your online presence.
Plugins are just another form of software and because so many are in use and so many site owners don’t update, they are a popular gateway for dangerous hacks. A few years ago, hackers found big vulnerabilities in Gravity Forms and Slider Revolution, and even though the authors quickly released patches to their products, there are STILL many websites online today that have the unpatched versions running, making them low hanging fruit and easy-peasy hacking targets.
Your Hosting Company
Lastly, though not least-ly (ha) let’s address your hosting company. I can’t stress the importance of this choice enough. After all, it’s the physical home for your WordPress install. At Clearly Presentable, we take hosting very seriously and choose not to provide WebCare services to those customers who insist on sticking with a company whose reputation is either bad or highly suspicious.
Why? Because the potential for big problems to happen down the road are significant. We also think it’s unhealthy to waste your valuable resources and everyone’s precious time dealing with inefficient products and services.
One of the most prevalent points of attack via hosting is called Cross-Site Contamination which happens on shared hosting plans. In a shared hosting environment, you share space on a server with several other websites.
Here’s the kicker–even if all your security ducks are in a row, there’s a very good possibility YOUR site will get infected if another site on your shared server that isn’t as buttoned down as yours gets contaminated.
A Proper Recap
I hope this review has been helpful in providing an environmental snapshot of your WordPress install. There is no way on God’s green earth I would leave any of my sites or client staging areas unprotected given the way the internet is now. Yes, it’s a sad state of affairs, but it simply is what it is.
Mark, the lead programmer I work with who possesses a dry sort of British humor (because he’s…ermm, British) deftly noted, “The internet, dear Susan, is simply broken.”
And we’ve not even touched on the single biggest security problem your site will face – the answer will surprise you in Part 2.
Why take unnecessary risks on losing everything you’ve worked so hard to build? Risks that can lead to days of misery figuring out what what went wrong.
Do you really want to hear, “Wow, I guess you’ll have to rebuild most of it. Have a nice day”?
I know I don’t!
Want to know what the BIGGEST security risk in WordPress?
Read part two in this series on WordPress Security.