WordPress has seen phenomenal growth since 2003, when it was launched as a blogging software tool. Since then it has evolved into a content management system, an application platform, mobile and social platform. WordPress accounts for more than 20% of all websites online and this number is growing daily. Because WordPress is so widely used, unfortunately it has become a target. Hackers and delinquents fix on WordPress and use the latest security announcements to their advantage and hack to cause general mayhem. These 5 Tips are encouraged for those that want better WordPress security for their web site.
Table of Contents
What about the other 80%?
Websites that do not currently use WordPress may be powered by Joomla, Drupal, PHP and applications such as Dreamweaver and other Adobe packages. Additionally, many websites are custom coded. For those sites that are not yet powered by WordPress, many of them realize the benefits of WordPress, however, are hesitant to transition to WordPress because of the mechanics of such a change. If you are in this situation you will be glad to know that there are many migration tools which can help in the transition. This website, for example, was originally built with Joomla’s content management system. In time, however, our organization realized the need for WordPress and we utilized ‘FG Joomla to WordPress’ plugin to migrate the articles, categories, media, and even meta tags to WordPress. The free version of ‘FG Joomla to WordPress’ was not sufficient, so we upgraded to their paid version for a small fee and we were very happy with the success of the migration.
Most common types of WordPress attacks:
- Drive By Downloads – With this type of attack, malware is embedded into a site via some type of script injection. Vulnerabilities which can lead to this type of attack include:
- Outdated software,
- Compromised login credentials,
- SQL injection
- Malicious Redirects – This type of attack consists of redirects that the user experienced in which the user’s session is redirected to a different website and can impact both the primary domains as well as any sub-domains.
- Back doors – In this scenario, attackers bypass normal authentication to gain remote access to the environment. Methods compromised include FTP, SFTP, and WP-Admin.
- Pharma Attacks – This type of attack is more of a spam menace than it is malware. Don’t be fooled, however, because this type of attack may be detrimental to your website. These attacks may even be more dangerous because they are visible foremost to search engine bots. If your website becomes affected, it could be tagged by Google as “compromised” which means that your organic traffic from search engines can take a big hit.
Avoid these 5 WordPress Security Problems:
- Poorly coded third-party extensions or plugins
- Cheap hosting – if you are not planning on taking an active role in the management of your WordPress, then you should not utilize cheap web hosting. Cheap hosting is “self-managed”, and as such, you are responsible for maintaining and servicing extensions, plugins, themes and core WordPress files. If you are not able to, or not up to providing these acts for your WordPress, then we recommend a managed WordPress host.
- Extensions, plugins and themes are often free on the Internet, but this does not mean that they are always good. Some free downloads contain malicious code. One should choose free extensions, plugins or themes from a trusted source only. In order to determine whether or not you wish to download from a specific author, you might consider reading reviews, forum discussions, etc. to determine if the source is trusted. Many times you will see a company with average reviews, but after digging deeper, you might find that the reviews were posted by users who are not knowledgeable in IT. Do not take reviews at their face value because I have personally seen reviews that are posted by people whom I call “Internet militia”.
- Poor or weak login and administrator credentials. Always use a strong password and choose a different user name than the default “admin” user name.
- Out-of-date core WordPress files. Remember that with each new update, the previous fixes are publicized which means that hackers are aware of the vulnerabilities to the core files. It is imperative that you keep your core WordPress files updated and current.
Best WordPress Practices:
- Stay educated and informed about WordPress. Join a mailing list for a popular WordPress blog and read the emails daily so that if there is a plugin that has a vulnerability, you will know to update it right away.
- Consider a managed WordPress host rather than the traditional cheap web hosting firm. If it is critical that your WordPress site be managed by a professional, and utilizing a WordPress host is the best way to achieve this.
- Use a website scanner service such as Sucuri Site Check (free).
- Sign up with Google Webmaster Tools and verify your website (free). This is a real time saver. Google provides insight into your pages and will even notify you if your site becomes compromised. Webmaster Central will also help you to understand your site with valuable suggestions, which will in-turn improve your rankings in search.
- Keep core WordPress files, extensions, plugins and themes updated at all times. I can not stress enough the importance of this practice.
- Backup your website. Backup your website. Backup your website.
WordPress Content Management System
WordPress has rapidly matured from a simple blogging platform to a full-blown content management system and application platform as well as a social media and mobile website platform. WordPress is a very intuitive open-source application and with it, the possibilities are limitless.