Is your WordPress site Secure?
I’ve spoken with two people this week who lost access to their website, as a direct result of not keeping on top of security updates.
Both of them are WordPress sites – a popular platform, with lots of additional functionality available through third-party plugins. Its popularity means it is often the target of hacking attempts too though, which is why it is vital to ensure that the core code and any plugins or themes in use are regularly updated. Whilst some of the updates are functional (adding new functionality or making things easier to use), some are security patches resolving vulnerabilities that have been detected in the code.
To give you an idea of how some people take advantage of this, here’s the message I received from one of the people I spoke to:
Someone had managed to gain access to the site, remove the existing admin logins, and make themselves the only admin for the site. When they did not receive the money they asked for, they deleted the entire site.
The Charity were not in a position to resolve the issue themselves. Their hosting provider gave them a backup of the site, but said that the backup contained the malware used to exploit the site still, and would not put it live for them until they paid to have it checked and cleaned.
Another person contacted me after noticing their website was not loading. Instead, an error message was shown. She eventually found out that her hosting provider had taken the site offline after they discovered malware on it. They had written to her two months ago, but the email had been overlooked. Their automated malware scanning system had noticed the code, and highlighted the infected file. Eventually, the host removed the malware on the site and restored access…it took two minutes, but they had done nothing for two months.
She doesn’t know when the website was taken offline: it may have been down for the whole two months! Their only recommendation was that she pay an additional £5 per month for a scanning service…. a service which clearly was already running since they had previously notified her of malware.
Tips for keeping your site secure
There are several measures that can be taken to help protect a WordPress site. Here’s our top recommendations:
- Regularly update the core code, themes and plugins
- Take regular backups in case of disaster recovery
- Avoid having a user called ‘admin’
- Use unique complex passwords
If you want to take things a step further, then you may also want to use a security plugin to detect – and block – unusual activity. These typically look for attempts to login as ‘admin’, repeated failed logins of any kind, or repeated 404 errors; and then block that IP address for a period of time. Two-factor authentication is also worth considering, requiring a user to respond to an emailed link or other form of additional authentication when trying to login. Some security plugins also give you the option of changing the URL used to login to the site, or present a captcha to detect bots on the login screens.
Some webhosting providers have additional tools available to help keep your site safe and secure. Sometimes these tools are provided as standard, sometimes they charge a premium for them.
Our hosting provides a ‘checksum report’ for the core WordPress code, which ensures there are no changes to the main code. Malware scanning, permissions check and on-demand backups are also included on every site as standard.
For sites connected to our WordPress Management Platform, regular backups are taken and stored off-server, and every site is checked at least once a week for any code updates. A staging environment is also available so that changes can be tested without affecting the live site. Additional security is also applied to most sites automatically, and provided as standard on all sites that we actively manage. All from just £10 a month.
Do check what your host provides, take a backup of your site today, and ensure all the updates have been applied.
Schedule a Tech Surgery Consultation
If you’re unsure about any of this, or want it taken care of for you, then get in touch today and we’ll make all the necessary arrangements. A one-off Tech Surgery is currently just £25, and in most cases will cover the work needed.
Recent Comments