WordPress Security – Why, What and How

0

WordPress is the most popular Content Management System (CMS) in the world. With that kind of popularity, it makes sense that WordPress is an attractive target for hackers and attacks.

Does this mean WordPress is less secure than other CMS’s on the market?  The simple answer is no.  It is the popularity of the platform that makes it attractive and there will always be a percentage of those websites that simply do not take security seriously and leave their sites vulnerable.

So, this mini-guide is going to get you up to speed on WordPress security, why you need to take it seriously and most importantly how to better secure your website so you can better avoid the pain and hassle of a hacked website.

Why Do Hackers Want to Attack Your Site?

You may think you are safe from hackers as you are a nonprofit, or not that big of a site.

Don’t assume that just because your website is small that hackers wouldn’t be interested in it. Many WordPress attacks are automated and don’t discriminate based on how big the website is or how much money it brings in. They hit as many websites as possible until they find a vulnerability to exploit. Everyone else is at risk, so you should take steps to protect your site from attacks as well.

So why would hackers want to attack your little site that is just trying to do some good in the world?  There are many reasons why they want to attack your site, some folks just like to destroy things, but the main reason for an attack is profit.

How can an attacker profit from hacking your site?

Anonymous and free computing power
The average hacker is not actually interested in your website itself, but rather the computer power of the web server that your site is running on. They like the free electricity to “mine” digital currencies like Bitcoin or to hide their identity while they perform other tasks.

Spam, spam, spam, spam
All that free computing power gives hackers the ability to send millions of spam emails quickly and easily. Since they are using your website account, they are hard to trace. By the time you notice something is up, the attacker has already done the damage and profited off the spam emails, leaving you with a blacklisted server address, and requiring your time and money to clean it up.

Attackers can also insert links into your website that are visible only to search engines so that they boost search ranking for unscrupulous marketers who buy space on hacked websites.

Spreading viruses
A hacked website can be altered to send out viruses to YOUR web visitors. If the visitor’s PC, Mac or other device is vulnerable or doesn’t have up to date security, they can get infected and used for the same purpose as the web server (computer power, spam, etc.). The viruses can also have other purposes, such as encrypting all your files and only releasing the encryption after you pay a ransom. This is called “ransomware”. They can also log clicks and keystrokes to steal passwords, or inject advertising on every web page you visit and earning money on every click.

Protecting Your WordPress Website

Your website can never be 100% secure and anyone that tells you that is simply not being honest. Attackers are always finding new ways to gain access and new vulnerabilities are being discovered all the time.

Technology changes at the speed of light so our best defense is to minimize the risk as much as possible and implement some security measures that make our sites less attractive to those potential attackers. Much like installing a security system in your house.  Many potential burglars will skip your house and try to break into one down the street that does not have a system and therefore less secure.

Many WordPress users will simply install a security plugin and think they are safe and sound.  We are here to tell you that WordPress security is more than just installing a plugin.

While installing and configuring a proven security plugin is a key part of keeping your website safe and secure, it is only ONE of the things you should be doing.  As we mentioned before, the key is to reduce risk as much as possible and there are a number of tasks you can complete to increase your overall security and better protect your website

5 Ways to Better Secure your WP Site

1. Quality Hosting
This is an area of security that many don’t even think about. If you chose your hosting based on price alone then you are very likely on a shared server with 100’s or 1000’s of other websites.  Since these hosts are focused on keeping costs down they may not have the time or resources to keep their servers up to date with security patches themselves.  If one of the sites on this server gets hacked or injected, it may very well spread to all the other websites on that server (called cross-site contamination).  Therefore, we recommend going with a quality website host that specialized in WordPress and takes security seriously.

Recommendation: Best in Class Managed WordPress Hosting: WP Engine

2. Daily automated offsite backups
Are you currently backing up your website on a daily basis and holding those backups at a secure offsite location? If not, you are pretty much playing Russian Roulette.  It is a matter of WHEN not IF you are going to need that backup to restore your site.  Whether its an attack, a user error, or a malfunctioning plugin…your site will go down or have an issue that can’t be easily fixed.  If you have your daily backups running and secured you can be back up and running in minutes instead of days and weeks.

3. Keep WordPress and Plugins Updated
By far, the biggest security vulnerability in WordPress is outdated software. WordPress itself is updated often, especially with new security patches, and all of those plugins you installed are also updated on a regular basis as well (and yes many of those updates are also to plug security vulnerabilities).  So what do you think attackers are scanning for when they look for a vulnerable website?  Yup, you guessed it… sites that have not updated to the latest patches to fix KNOWN security risks.  It’s like putting up a billboard saying “Hey, we have not updated our site with the latest security patch!  C’mon In!”  So you must keep your site updated with the latest WordPress and plugin updates.

4. Use strong passwords
Have you used the same password for your site for the last 6 years? Is it some combination of your organization name and the year you first created it?  Not a good idea.  If you have a simple or easy to guess password, it is simple for attackers to hack your site.  You should enforce strong passwords (include numbers, letters, and special characters and make them long) and don’t allow your users to share logins or accounts.

5. Install and config a security plugin
Now that you have the other four tasks complete we can now turn to a valuable weapon in your security arsenal.. the WordPress security plugin. A quality WordPress security plugin will help you fix many known security issues, harden your defenses, and take care of many technical security issues you don’t even know exist.  So those attackers will look elsewhere for a vulnerable site to attack.  With our clients, we use and recommend iThemes Security Pro as it is highly rated, constantly updated and makes it easier to implement many of the more technical security features.

What can you do from here?

Now that you know the why, what, and how of WordPress security you have a few choices:

One: Ignore the advice above, bury your head in the sand and hope and pray your site does not get hacked.  Please don’t take this option… it is only a matter of time before the attackers find you and it will be much more time consuming and expensive to clean and repair your site than it is to just protect it now.

Two: Take the DIY approach and use the info above to secure your site yourself.  While this may seem like a great option if you are on a tight budget or feel you are tech savvy enough to do it, ask yourself if you really have the time and energy to keep up to date on all of the new vulnerabilities and complex security settings on your server, inside WordPress and with your security plugin?

Three: Work with pros to ensure your site remains safe, secure and worry-free.

My team at TriSummit Solutions manages TopNonprofits’ website security, hardening, firewall and malware scanning, and automated daily offsite backups. Get the same included in all of our Website Care Plans. We also keep your website current and up to date with WordPress core, plugin, and theme updates. These updates are very important and often include security patches for found vulnerabilities.

We do our best to protect your site from being hacked, but in the unlikely (but possible) event that your site is still hacked, we have your backup and can promptly restore your website from a backup, patch the vulnerability and fix the damage.

Learn more about our Website Care Plans.

 

About author

Avatar

Rich Dietz

Rich Dietz began his nonprofit career when he was the director of a mentoring organization in college, and went on to get a Master of Social Work (MSW). He has spent the last 20 years working both in and with a wide variety of nonprofit, political, and government organizations, as well as technology companies focused on the nonprofit sector. It is this unique background and experience - working directly in nonprofit organizations AND working on the technology side - that allow him to better understand and assist nonprofit organizations with their technology needs. Rich holds a Master of Social Welfare (MSW) from the University of California - Berkeley as well as a Bachelor of Arts in Political Science from UCLA.