At our most recent workshop we discussed key considerations for WordPress Security.
WordPress (WP) started as the successor of b2/cafelog, a blogging engine that in 2003 ran Approx. 2000 blogs. It just celebrated 10 years and it now runs approx. 26% of the known sites using content management systems (80 million sites ca.). These figures alone are impressive, but there’s more. The community created over 40 thousands plugins that (more or less) seamlessly integrate with the CMS and there’s a tonne of themes that can be purchased that allow sites that pack lots of features to be built in little time.
All great, however… there’s a “but”.
Like every person or product with huge visibility, WordPress has its “enemies”. Because of its widespread use, this CMS has become a favourite target for hackers since it can make an easy prey when not properly configured and maintained. To further complicate things, being open source means that every release of WordPress is followed by a report that details the fixes applied, which in turn exposes the vulnerabilities of the previous releases. A person with malicious intent can use that information and exploit the vulnerabilities on older sites. It’s not a matter of if your website will be target of attacks, it’s a matter of when.
In short: fail to prepare, prepare to fail. Repairing a hacked website is expensive, requires time and could damage your reputation.
“So, you’re telling me it’s too dangerous to rely on it”? No, WordPress is still great. If you take good care of your WordPress site you will be fine most of the time.
Think of a website as of your car. It requires regular maintenance, you don’t want anybody to gain unauthorised access to it, you wouldn’t leave it with open windows overnight and you wouldn’t leave it parked in a dodgy alley. There you have it. You need to keep WordPress clean (remove those unused plugins), you need to ensure there nobody can gain unauthorised access, you need to update both the core and the plugins/themes and, last but not least, you need to choose a reliable hosting solution that matches your needs and expectations.
Before you even build any website, you should have a well planned strategy. Most of the times the main rule of this strategy should be “common sense”. Ask yourself questions like “what happens if I share my password?”, “can I test this plugin I know very little about directly on the live site?” (tip: not without consequences), “can I ignore the updates?” and “do I really need that plugin on my site?”. Start writing down your plan. Part of your strategy should be a layered approach to security. Every plugin or little step you take to secure your site is making it more secure. One by one they might not seem much, but when you sum them all together you get a pretty secure site.
Let’s be clear, a very motivated hacker will eventually find a way to break into a WordPress site, but chances are they won’t waste their time hijacking your site. Hackers with such skillsets are usually after much more valuable things such as credit cards details or valuable information that can be sold to the black market. The real enemy of your WordPress site are bots and scripts that rely on your CMS to be as out of date as possible to break in. Your strategy should force them to desist so that the potential result doesn’t justify the effort.
Now that you have a strategy you need to research few different requirements you will have, especially the theme, the plugins you intend to use and, last but not least, the hosting space. When it comes to plugins, the rule of the thumb is that if there’s a paid version it’s a good start. This doesn’t mean you have to pay for them (unless you need some locked features), but the idea is that there is a support plan for the plugin and you can expect it to last a few years. The good thing about WordPress is that you can search for plugins through the control panel itself and you can see how many installations they have and how the community rates them. When it comes to themes, my recommendation is to buy them from secure sites and never ever use hacked ones. They are cheap enough to discourage a free download and you should expect support in case of problems or updates at the very least.
A hosting provider should be seen as a business partner. If they have trouble providing you with a reliable service, you have trouble providing to your clients by reflection. Also, chances are you want someone to look after certain aspects of your site without having to learn their job. After all it’s what you pay them for, right? My take on the matter is: you get what you pay for. Make sure what you pay for meets your needs and expectations.
Finally an aspect that’s often underestimated is the disaster recovery plan (DRP). You should always have a DRP plan ready and, most of all, regularly tested to ensure its validity over time. DRP is a very vast topic, but if you are interested in getting a better idea about it you can check this series of articles we wrote some time ago: When Disaster Strikes part one and part two.
If you are interested in talking to us about this subject please feel free to contact us and we would be happy to talk further on this.