Disclaimer: I am in no way a website and server security expert, and any observations, opinions, and strategies are based solely upon personal and professional experience, as well as research from reputable sources such as WordPress.org, ithemes Security, and web development blogs like Smashing Magazine.
Whenever a new system, program, resource, or technology is unleashed upon the world, you can make a sure bet that someone bad will do everything they can to exploit it.
The most widespread technologies are also inevitably the biggest targets, and there’s fewer Content Management Systems (CMS) with a bigger bullseye on its back than WordPress. At the time this article was written, according to Web Technology Surveys, WordPress powers 58.5% of all CMS websites reported, and outranks every other competitor by a wide margin. Its reach, power, and versatility are the reasons it’s preferred for all Ultra Graphics – built websites, and we’ve written articles singing it’s praise before.
However, all that popularity comes at a price. With so many millions of websites running an installation of WordPress, it’s easy for hackers, spammers, and other evil-doers to target it as the lowest-hanging fruit for exploits, black-hat SEO tactics, and just plain malicious fun. Not all is lost though, because on the side of good we have an equally talented group of developers from the WordPress team, as well as thousands upon thousands of contributors to fight back. Here at Ultra Graphics we do our part by following a strict series of best practices to minimize the chance of attack on any of our websites, and by keeping abreast of new updates and challenges to security that allow us to stay nimble and vigilant. This article serves to educate and inform anyone utilizing a WordPress site, and provide some tips and tricks to help you increase website security for any site, not just WordPress.
Most Common Motivations for Intrusion:
Most of the time when someone thinks of a hacker, they conjure images of a goth-attire-wearing basement-dweller that targets large corporations, stealing their credit card data to make millions of dollars. Most WordPress hackers and spammers simply don’t work that way, and most of the time their motivations are not as grandeur. They also don’t typically target a specific website, but rather create a self-executing bit of code that crawls the internet searching for weaknesses in thousands of sites at a time. When a WordPress site is compromised, it’s usually the result of security holes created by one of a few easily-fixable mistakes. Hackers/Spammers/Bots typically “worm” (pun intended) their way into websites for one of a handful of reasons:
Gain Personal / Financial Information. Trying to get a hold of a credit card number, address, social security number, or some other form of information to directly access money, or use the data gained to social engineer an individual.
Utilize Black-Hat SEO. The practice of hiding illicit pages, menu items, links, and other content from the visible part of the website in an attempt to gain SEO ranking for illegal products and services – such as knockoff handbags, jewelry, cracked software, etc… This is one of the most common intrusions I’ve seen, and the ultimate goal is for the spammer to never be found out – so they can continue to use your site as a vehicle for their naughty SEO.
Use Your Email Server. Once an intruder gains access to your webfiles or CMS admin, they can upload documents of code that trigger, build, and send out emails by the thousands. Most of the time these emails are spam emails with illicit links, and can be used to gain personal or financial information from the recipient. These emails can be “spoofed” to appear as though they are coming from a legitimate source, and can affect not only the unsuspecting individual, but the originating web server’s reputation on the web. A bad reputation for a web server can lead to being blacklisted on SPAM tracking websites, popular email services like Gmail, Hotmail, and Microsoft Outlook, and can affect other websites on the same IP address even if they are in no way involved in the hack.
To Show Off. Many hackers just want attention. I’ve seen some sites compromised, and the only thing discovered in the code was a message or image that replaces the home page saying “you’ve been hacked by [insert immature codename here]”. Other compromised sites simply create malicious redirects to “mature” sites, sometimes only from certain search engines which makes the source harder to determine. Some hackers do it just because they can, and they like putting people and businesses in hot water for fun.
Top Website Vulnerabilities
Some of the following are specific to WordPress-based sites, but many could be applicable to ANY site/server environment – and most are easily preventable / fixable with just a little bit of time and knowledge:
Outdated WordPress Core, Plugins, or Themes. This is a big one. SO many security holes are the result of out of date software. With WordPress being so popular, developers of the core CMS (as well as plugin and theme creators) are actively supporting and updating their code to combat potential risks. If you never run or maintain those updates, however, your site can’t take advantage of the security upgrades.
Weak Passwords. If you have “pass1234”, or your kid’s birthday, or your dog’s name as your password, go change it right now. Weak passwords are increasingly easy to crack by either custom-built software, or simple guessing based on knowledge of you that can be found on public sites such as facebook, twitter, or instagram. In addition to that, many people use the same password on multiple accounts – so if a spammer/hacker/bot gets access to one password, you can bet they’ll try it everywhere else they can.
File/Folder Permissions. This one is a bit more technical, but poor permissions on files and folders on your website’s server can be an intrusion point for hackers. Permissions essentially determine how much or how little a certain entity can access a file or folder on your site. Web server admins are able to “lock down” folders and files to only allow access to certain groups, but if those permissions are wide open (usually by accident), they can be accessed and even changed by anyone on the internet.
SQL Injection. This is a method by which hackers insert malicious database-changing code via a webform or other “user input field” on a website. Most popular webform plugins have techniques in place to “escape” bad characters and combat SQL injection, but if your website has any simple HTML or custom built forms, this can be a potential point of intrusion. This method is particularly relevant to WordPress, because the CMS uses a database to power the majority of content and settings.
If you suddenly receive dozens of spam emails from what was previously a known or legitimate source (including emails coming from your website domain), or if they’re coming from an email you know doesn’t exist, tell your webhost immediately! If you notice odd content on your site, or content that you know hasn’t been changed by you or your web services support, let your sales rep or website contact know right away! The sooner a hack is apparent, the easier it is to stop it, reduce the damage, restore a backup, etc…
So What Can You Do?
It’s not all doom and gloom out there on the net, with potential disaster lurking around every corner. In most cases, the majority of threats can be neutralized by following some simple procedures and keeping security in mind for the entire life of your site, not just when it’s built. Below are some tips and tricks gleaned from research, expert advice, and experience in dealing with compromised sites:
Keep WordPress, plugins, and themes updated regularly. I can’t stress this enough. The update process has been extremely simplified in modern versions of WordPress, and some servers even allow auto-updating for wordpress core versions. Updating themes and plugins can take as little as a few minutes, and can patch literally dozens of security holes. Typically between major versions of WordPress (ie 4.3, 4.4, 4.5) there are an average of 1-4 security updates, it’s best to keep on top of them.
Use Child Themes. The normal way of updating WordPress, themes, and plugins is to completely overwrite the old version with the new version. If you’ve made any changes to the theme’s code or template files, they get overwritten too. Child themes are a way to separate customizations to the code from the “parent”, so that when updates are run your custom code is protected. This usually is done at the time the site is built, but can in some cases be added on later.
Regularly Backup Your Site. This is good practice for any website, but it’s especially important in case your site ever does get compromised. It’s also good to keep backups in case a webserver ever crashes, as long as you save the backups on a different server. WordPress has multiple backup plugins available for download or purchase, and many servers/hosts allow backups as well. Here at Ultra Graphics we prefer UpDraftPlus.
Be Cautious When Downloading Plugins. Like anything on the internet, it makes sense to be comfortable with the plugin you download for your WordPress site. Stick to legitimate sources of plugins, make sure they have a good reputation, and are well supported. When a plugin doesn’t work, is no longer relevant to your site, or stops being supported, it would be wise to remove it completely and look for an alternative.
Install a Security Plugin. There are WordPress plugins out there that do the heavy lifting when it comes to securing a website, and have options that protect you from dozens of potential intrusion sources. Here at Ultra Graphics we use iThemes security, a well-known and well-supported plugin that is installed on every compatible site we build and maintain. The plugin takes care of many things that would otherwise be on this list, such as protecting against brute force attacks, limiting incorrect login attempts, disabling file editing from the admin, and more.
Set and Check File and Folder Permissions and Ownership. For many this will be a task assigned to a developer or server admin. Generally speaking, the only “owners” of files and folders should be legitimate, like the user that accesses the files to make edits, and WordPress to allow display and management of related files. Permissions should be set to allow the LEAST possible access for the owner, group, and general public. For example, the public internet should be able to read most webfiles (pictures, HTML and style code that make up the pages, etc…) but not able to write to them. There are lots of resources out there that explain and suggest best practices for file and folder permissions.
Use Strong Passwords. This should be a no-brainer. Although “strong” is very subjective, the general idea is not to use obvious passwords, and to avoid repeating passwords over multiple sites/accounts. There is a balance that has to be struck between complexity and memorability, and it’s not always easy to do so. There are lots of free and paid password manager applications out there to help, such as LastPass. If you manage a lot of different accounts, you can find some way to keep track of all the passwords (unless you have an amazing memory) such as a notebook, spreadsheet, etc…
Purchase an SSL Security Certificate. This is not required unless you plan to house personal information or run e-commerce through your website, but it is a nice added layer of security between your users and your web server. SSL certificates essentially encrypt and protect data that travels between the two, and protects your site from anyone “listening in” to the data transfer. SSL certs are not, however, good enough for taking and housing credit card information, OR housing any kind of medical or health information that would fall under HIPAA compliance. In order to take and maintain credit information you need a PCI compliant server, and for medical or health info you need a HIPAA compliant server, both of which require an extremely intense and stringent compliance rules. For PCI Compliance, in many cases it’s best to allow servers that already have the rules in place process your credit card transactions, such as PayPal, Stripe, Square, and others. Bonus, SSL certificates give you a slight boost in search rankings, because Google is pushing to make the internet more secure for its users.
Add Your Site to Google Search Tools and Bing Webmaster. Both major search engines offer a way for you to create an account and add your website to the search engines’ index. In addition to dozens of other features related to SEO and crawlability, both search engines can alert you if they detect malware or other known intrusions on your website, allowing you to catch and resolve the issues as soon as possible.
Keeping On Top of It:
The purpose of this article wasn’t to scare, confuse, or lead anyone into the welcoming arms of Ultra Graphics web services and managed hosting, but will hopefully serve as a guide and resource for business owners, website designers and developers, and anyone else who has security concerns over their website. If you take anything away from this, I hope it’s that websites are not a set-it-and-forget it kind of product. The web is evolving, security is evolving, and (unfortunately) hacker techniques and technology are evolving.
Many statistics say that the average life of a business website is 5-7 years – meaning that after 7 years it either needs a complete rebuild, reworked structure, new design, etc… I believe that with WordPress, that 7 years can be stretched so much further, not because those content, security, and functionality updates aren’t happening, but because they happen in smaller, more manageable chunks. If a website is built using tried-and-true plugins, child themes, regular backups and updates, and proper permissions and passwords, there’s little reason it can’t exist for as long as WordPress does.