If you ran a store, would you leave it at night with the door unlocked? Would you choose not to get an alarm system or insurance? Not exactly a brilliant way to keep your merchandise safe. Yet, that’s what millions of people do when they manage WordPress sites without proper security systems in place and without regularly updating their plugins.
And thousands wake up every day to see that heart-stopping red site page with a skull and crossbones or giant X telling the world their site is not safe.
Whether you manage your own website or you manage websites on behalf of your clients, there’s always the fear that someone or something is going to compromise the security of your site. This is particularly true of WordPress sites, which make up about a third of all websites. Being as popular as they are, WordPress sites have big targets on their backs.
Hackers or malicious bots that access vulnerable sites can use your site in numerous ways. They can use your site to send out spam, distribute malware or even hack other sites. They can create a whole new site inside of your site that you can’t see, creating a phishing site or fraudulent goods site, while leaving your site alone. The only thing you might notice is a slight slowdown in the speed of your site because you’re actually hosting two sites together.
If Google doesn’t catch it and shut you down, your hosting provider might. Hosting providers are actually required to take action in the case of a website becoming compromised since such sites are usually then used to conduct illegal activity. And if you backup your site after it’s been compromised, you will save the malware with the backup and it’s no longer clean
A recent survey by Carbon Black on cyber security in Canada reports a whopping 83% of Canadian businesses have had their online presence breached in the last year, mostly through phishing and ransomware. After the fact, business owners say they will increase spending to improve security, but by then the damage has been done. Lost sales, lost clients, lost reputation are just a few of the repercussions of having your site go down, for even 24 hours. The report showed not only an escalation in the number of attacks occurring, but an increase in the sophistication of hackers, who it says are becoming more organized and have more money to spend.
Here are some simple ways to ensure your WordPress website stays clean:
Plugin Updates - As WordPress comes out with new versions, features and updates, that brings with it new problems. As a WordPress site manager, if you’ve installed Wordfence, you’re no doubt getting regular messages telling you to update plugins. If you’re new to WordPress, you might know there are updates to make but not know how to do that; you might not know how to back up your site, which you should before doing the updates; or you might just think the updates are unnecessary. But if you expect the website to run and do its thing on its own, you’re asking for trouble. These updates are essential for your site to run properly and to keep it secure. They can’t be ignored.
Passwords - Passwords are another area where people fall short. The most common way to access your site is by someone stealing your password. Are you using easy-to-remember passwords? Or not updating your password regularly? Or, worse, using a password with the word “admin” in it? That’s one level of security that’s easily fixed with password keepers.
Monitoring Systems - For a nominal monthly or annual fee (and sometimes for free), you can have a program like Sucuri keep track of suspicious activity on your site and give you regular updates. This can include scanning for numerous failed login attempts and malware. But it will also let you know if there has been a new user logging in or updates to plugins, just in case you weren’t aware of the activity. Unfortunately, a lot of those services are reactive – they’re watching for things that have already happened. It might be better than nothing, but it might also warn you too late. And once your site is infected, it’s often impossible to find the malware itself. A complete rebuild might be necessary.
Firewalls - Activating a web application firewall acts as a barrier to protect your site from outside attaches. They route traffic through their cloud server first and confirm the traffic is legitimate before sending it through. The weakness with a firewall is that it can’t protect your site from attacks from the inside. It can’t protect against viruses, worms and other spyware that can be spread through external drives.
Hosting Platform: Possibly the best security for a site is ensuring your hosting platform is protected. The more secure your hosting platform, the less chance of having your WordPress site hacked. But for even more security, choose a new option that many hosting companies are offering: WordPress specific hosting plans. These type of plans offer preinstalled WordPress, as well as optimizations and WordPress-specific tools that reduce the chance of being hacked. This type of hosting service keeps server software and hardware up to date dynamically, regularly scan for suspicious activity, offer automatic WordPress updates and have backups of your site in case a breach does happen.
“Think of security doors and layers,” says Garrett Saundry, our Product and Operations Manager. “Security plugins are sitting in the inner sanctum of the website, so if a problem gets that far, they’ve already gone through a number of doors to get there, so it’s really a last line of defense. With dedicated WordPress hosting, we watch for that activity before it ever gets to your website.”
If opting for a managed WordPress hosting solution (like the plans available from Webnames.ca), these are some key services you will want it to include:
- WordPress restore manager, which enables you to rollback your website back to its previous state if something goes wrong with your latest deployment
- Easy access and upgrades to WordPress' 50,000+ plugins
- A staging environment to test new features, changes, and ideas before rolling them out to a live website
- Automatic backups to restore your website if you lose data
- Automatic updates to improve security and performance
- WordPress debug manager to debug options cohesively, or on an instance by instance basis
- Proactive security scanning and malware removal. If you’ve got security plugins on your site, you could be getting dozens of email notifications telling you about login attempts (from automated malware or hackers) or other suspicious activity. And who has time to monitor and take care of all of that?
It’s an ongoing battle to keep websites up and running. Google blacklists tens of thousands of websites every week that it suspects of being compromised. Being proactive and choosing a solid hosting plan and provider can help make sure yours isn’t one of them.
* * *
Whether you are planning to launch a brand new website or already managing multiple WordPress instances, head over to Webnames.ca's Managed WordPress hosting page to review the benefits and features these plans offer to make your WordPress site more secure.