We’re often asked if WordPress sites are more vulnerable to security breaches than other content management platforms. With all websites, even those run by Fortune 500 companies, the threat of hacking is ever present, regardless of the platform it’s built within.
Professional website design and development firms who use open source platforms, like WordPress or Drupal, produce safe and secure sites that are resistant to hacks.
General Threats to Your Website
Hackers will employ various methods to gain access to a website. From brute force attacks to exploiting poorly written code, they are constantly looking for vulnerabilities.
Once they gain access, they can wreak havoc in innumerable ways. Their motivations may range from boredom, to intentional disruption for political reasons, to a serious threat aimed to gain private data for financial gain.
A short list of security attacks—because a full list is too long—that exploit security weaknesses include:
- Brute Force
- Trojan horses
Blacklisting by Search Engines
An insecure or compromised website can be ‘blacklisted,’ which is the swift and possibly permanent removal of your site by search engines like Google and Bing. An insecure or blacklisted website is typically preceded by a notice in search engine results or even on your website’s landing page.
It is particularly distressing when one of your visitors points out to you that your site has been blacklisted. With the possibility for blacklisting in mind, and because Google cannot foresee all possible vulnerabilities, we recommend that Google Webmaster Tools (GWT) be used to verify your website’s status on potential blacklists. You’ll need to have website administrative permissions to access and professional development experience to properly use these tools—so check on this with your developer.
The most basic way to protect your site is by using strong, unique passwords for your website, FTP accounts, associated email addresses, and any other access points.
If you need a refresher on creating strong passwords, Microsoft summarizes it thoroughly here, but there are also new tools out there to help. In a recent article by Wired, Joseph Bonneau, a cryptology researcher at Stanford, suggests that webmasters create truly random passwords using tools like Diceware, which involves rolling dice and matching the numbers to words on a prepared list to generate random phrases.
Additionally, experts recommend:
- Changing your access passwords every 60 days
- Keeping your passwords as private as possible
- Using different passwords for all your access points
- Using applications to manage your passwords
There are a number of password managers that will store all your passwords and offer one entry password to access them all from any computer you designate. Here are a few examples:
- Sticky Password
Assigning Least Privilege Administrative Roles
Another basic security measure is assigning the ‘least privilege’ roles necessary for your employees. Fewer high-level roles assigned means decreased opportunities for hackers to access administrative functions and exploit the most important parts of your site. Adding content to your site may only require the “editor” role, instead of the administrator role. Moderating blog posts only requires the ‘moderator’ role, and so on.
Protecting an Open Source Site
Open source development comes with tools that give your website additional powerful features, but some plug-ins are poorly developed and unmaintained. Carefully select your tools, monitor the comments and reviews about them online, and regularly check for updates to the software powering your site. This includes WordPress, third party add-ons, and any independent security software, such as virus protection.
- Carefully select and only install reputable add-ons
- Monitor all third-party software used by your site
- Regularly update all software immediately after releases
- Work with a professional developer to install all updates
- Use a reputable hosting service that will back up your site each day and quickly restore if there is a system failure
For a discussion on the WordPress updating process, read our post here.
Protect Against Malware
Some programs are designed to prevent or thwart malware attacks (Google describes Malware), making them essential security features for all websites. In addition to the security features these programs provide, they also enable basic caching, which can speed up your website. Your developer should conduct a web-malware detection scan on your website regularly.
Safeguarding Financial Transactions
When dealing with monetary transactions, organizations should purchase a Secure Socket Layer (SSL) certificate (explanation), which will safely encrypt all data between site and server. SSL is working properly when you see the prefix “https:” in the URL:
Work with Professionals
Setting up your WordPress sites with pre-made templates, quick plug-ins and inexpensive hosting solutions will expose you to a higher risk of getting hacked.
With Internet security, it is best to work with professionals and install safeguards from the beginning, communicate with your developer to keep your site updated, and stay vigilant.
There are three important steps your developer should take immediately:
- Review your site’s security using GWT and Malware defense
- Install updates to all software associated with your site
- Set regular schedules for monitoring, maintaining, and enhancing your site
Concerned about the security of your WordPress site? We’re offering a free security review and estimate.