Welcome to 2016, the year where WordPress powers more than a quarter of all websites on the Internet. For a lot us involved with the WordPress community, this was a fantastic piece of news. But for those concerned with WordPress security, it’s more of a nightmare. WordPress as a CMS always had a bad rep for being an unauthenticated remote shell that, as a useful side feature, also contains a blog. And despite the best effort by the WordPress community, this is truer now more than ever.
The democratization of publishing has a nasty side effect: pretty much anyone can start a WordPress blog. As the entry bar gets lower, more and more websites fall prey to malicious attacks, simply because the blog owners are out of their depth when it comes to protecting their blog. And being the biggest CMS on the market, WordPress has a huge target painted on its back. One of the security reports stated that 78% of successful attacks were against WordPress websites. Another stated that 76% of WordPress users don’t use a backup plugin at all.
The blame, or at least most of the blame, lies with the throng of security articles on the web. Really good, in-depth articles are few and hard to find, because we’re bombarded with the “10 Easy Ways to Make Your Site Secure” fluff that’s about as useful as an anthropology degree in a firefight.
OK, there are exceptions
Sure, it’s great to keep everything up to date. It’s also great to use something other than admin for your username. But that’s not WordPress security, that’s common sense.
The Harsh Truth About WordPress Security
I’m going to let you in on a little secret. Are you ready?
There is no such thing as a perfectly secure website. Your website will get hacked. It’s not a matter of if, but when.
You can be the biggest WordPress security expert in the world, it won’t matter one bit if your hosting company gets compromised. Hosting your own websites? Good luck with the Heartbleed bug, that affected the whole Internet for THREE YEARS before someone noticed it.
So, if you can’t be 100% safe, what can you do?
Be Responsible About WordPress Security
The fight is won or lost far away from witnesses—behind the lines, in the gym and out there on the road, long before I dance under those lights
-Muhammad Ali
The Greatest told it like it is: You don’t start thinking about security when you’ve been hacked. By then it’s too late. You think about it before you start your website. You vet the plugin and theme authors. You keep an eye on your websites. If you’re out of your depth, you hire an expert. Being prepared makes all the difference in the world.
How ManageWP Helps You Be Secure
Don’t for one second start thinking that either ManageWP or any other service will somehow make you magically prepared. We will help you, take most of the load off your shoulders and provide the tools you need, but at the end of the day you, and only you are responsible for the wellbeing of your website. And if your attitude is meh, whatever, I don’t have time for this, you’re setting yourself up for failure.
Always Have a Backup Ready
I mentioned earlier in the article that 76% of WordPress users don’t use backups. That same survey found out that over 67% of WordPress users would pay $100+ to get their website back online. This is the kind of insane shortsightedness we need fight on every turn. You’ll never see an ice hockey goalie forget his helmet because there’s only 2% chance of a puck hitting him in the face.
Even the biggest badasses like being alive
It’s also the reason why ManageWP backup exists. Handling backups for 10 websites is a pain, so we built a backup that’s easily controlled from one dashboard, no matter how many websites you have. And for ManageWP Orion, we focused on the other pain backups cause: reliability. We built a robust, incremental backup that uses very little website server resources, and stores it to a secure off-site location. We also introduced more backup cycles, so your website could have a restore point every hour (that’s 168 restore points each week!)
Be Vigilant
Some attacks are easy to notice: your website goes down, or it’s defaced. The ones you don’t know about are much more dangerous: someone could inject malicious code into your website and abuse it for weeks, without you even noticing it. By that time your SEO score is crap, you’ve been blacklisted, and the damage has been done. You have to stay on top of things, but you don’t want to waste your whole day on routine checks. That’s where we come in.
Uptime Monitor is great for detecting when your website goes down or is defaced. You’ll immediately get an email and/or an SMS with more details, and you’ll be able to spring into action before anyone else notices.
Security Check inspects your website for known vulnerabilities, malware, checks the blacklist status, and a number of other things. In the near future we also plan to automate the checks, so you can let the system run daily checks and notify you if it notices something’s wrong.
Performance Check is perfect for the sneakiest of the sneakiest attacks. Sometimes the Security Check will not detect the intrusion because it’s a new type of malware that’s not in the vulnerability database, or maybe it’s not malware at all. Your website server resources are still being misused, and it’s slowing your website down. That’s why we came up with the Performance Check: it grades your website performance and stores the result. Each time you run a new Check, you can compare it to the previous grades and notice when it drops. Now you know something’s wrong, and you’ll be able to fix it before there’s any permanent damage. Performance Check is also planned for an upgrade that will give you the option of automating checks and pushing a notification if the performance drops significantly.
Key Takeaways
- There’s no easy fix for WordPress security. You need to act responsibly
- Check your website security regularly
- Always have a fresh backup ready in case of emergency
Vladimir
Hey there, You have done a fantastic job. I will definitely digg it and personally suggest to my friends. I’m confident they will be benefited from this web site.
John
Uptime Monitor looks great, I will definitely try it out. Thanks for this useful article.
WPServer.com
There is also a lot that can be done on the server site. Such as file monitoring with OSSEC and use containers like Docker to isolate the WordPress environment
Robert Abela
Very good read though in my opinion it is missing one key point; audit / logging. It is very important to keep a record of what is happening on your website. There are several benefits you can take advantage of when doing so. For example apart from the obvious fact that you can keep an eye on what is actually happening, it does come in handy in case of forensics (to find out what happened in case of a hack) and can also help you understand who might be potentially attacking your website, thus you can take evasive actions.
Nemanja Aleksic
An excellent suggestion, and it highlights what I mentioned above: you can’t take any article as a definite guide to a secure website. There’s always something that hasn’t been covered, always room to do more.
Tom Townsend
Excellent article. I was looking for a lead on my own article (to be published this week) that gets to the heart of the Security dialog we have heard way to often with WordPress, especially the last 6 months or so. You hit the proverbial “nail on the head” with this post. “There is no such thing as a perfectly secure website. Your website will get hacked. It’s not a matter of if, but when.” This is also NOT WordPress centric and can affect any platform. Having a plan and being Vigilant is paramount for sure.
Nemanja Aleksic
Thanks, Tom. I’m looking forward to reading it.
jjsararas
All great suggestions, I’m thinking more specifically about custom themes created by agencies. Looking forward to that article!
jjsararas
That almost looks like a Team Canada jersey 😉
“You vet the plugin and theme authors.” How would one effectively vet a developer for secure code? What would be a few key best practices to look for, and questions to ask?
Nemanja Aleksic
Almost, but not quite 🙂
I’m actually working on an article that talks about how to choose the right plugin. What I can recommend off the top of my head is this:
– A great developer has a track record. Look at his profile on WordPress.org. Is he an actual person or some nondescript company? Is he contributing to core, talking on WordCamps? Being recognized in the WordPress community is a big plus.
– You can find out plenty from the WordPress plugin page. How often is the plugin updated? 6 months without an update is a bad sign. Having 3 updates within a week is also a bad sign, because it means there’s been no QA testing. Check the support page for the type of problems you’d expect.
– The changelog and GitHub repo are good sources of info about the dev; writing just “security fix” in the changelog is bad. “Fixed a bug where backup archives were being searchable and downloadable on Google” is good, it shows that person adheres to higher standards.
That’s some of the ways to go about this. If others have suggestions, feel free to share.