Getting serious about WordPress security
WordPress has been overwhelmingly the most popular Content Management Systems for so long that most people aren’t aware of a time before it was dominant. Its ease of extensibility have made it a quick and easy way for content designers to get their ideas out on the web without having to spend weeks or months in development. While many competitors have emerged to challenge it, none have gathered the momentum and rich ecosystem that WordPress has surrounding it.
Popularity can be a double-edged sword of course, and as was seen with Microsoft’s Windows family of operating systems, a large user base attracts attention from malicious elements, and makes efforts to hack into such software much more profitable. Being that WordPress normally runs on web servers that aren’t normally checked daily for abnormal behavior, a successful hacker can get several days or even weeks worth of free computing resources out of your site for a little effort.
As with most behavior considered untoward on the internet, a thriving black market exists to provide a those looking to make a quick buck with a blatant disregard for law and ethics. The most common motivation is money that can be made by sending spam: most hacked web sites are turned into spam sending proxies that will allow anyone with the victim’s information to use the resources of the victim’s server to send as much spam as they can until they are caught. Some are motivated to use the site as a phishing trap, using the site to host fake sites that gather login credentials. Perhaps the worst intentions are the silent intruders that break into sites and do little other than silently collect credit card numbers and other personally identifying information (PII) that allows them to sell or use credit cards, or to sell someone’s identity and good name on the black marked to be exploited, often to the victim’s ruin.
So if you’re running WordPress, what can you do to protect your site? The simple answer is maintenance and common sense. It is absolutely imperative that you keep your site and plugins up to date as much as possible and follow a few best practices. We’ve outlined a few of these below.
- Install the latest version of WordPress
- Use the auto-updater. The latest versions of WordPress come with an update utility that can be used to update both the core WordPress software and any compliant plugins, extensions, and themes you have installed.
- Do not use plugins, extensions, or themes that cannot be updated through the WordPress update utility.
- Avoid ‘abandonware’. If you find that a WP plugin is from a fly-by-night developer or has been completely abandoned and hasn’t received an update in months or years, you may want to remove it from you site.
- Make sure you have complex passwords set on your admin login and your database back-end. Try to change the former at a regular interval.
- Restrict IP addresses allowed to connect to your admin backend.
Just following these basic rules can help considerably in protecting your site. There are plenty of resources out there you can find by just doing a basic search for “WordPress Security”, and links like this one at CVE Details can give you insight into what vulnerabilities have been discovered recently that haven’t necessarily been patched yet. If you feel intimidated by any of this you can always find a good competent developer or partner who will be glad to maintain your site for you. Alpha Hosting can provide a site analysis of your WordPress site and can advise you on which steps you should take to update your site. Please feel free to contact Alpha Hosting technical support for more assistance.