Following on from last weeks blog about website security (One easy fix to avoid being hacked), this week I’ve been talking to Jan Tegze (read his blog here) about how best to secure a WordPress website. Jan has built hundreds of WordPress sites and goes to some lengths to ensure they are secure. I’ve also built quite a few WordPress sites, although my main work has been building WordPress plugins to support our Intelligence Recruitment Software.
Over one third of websites use WordPress
Before we scare anyone with all the potential dangers, WordPress is absolutely our favourite platform for building websites! Over one third of all the websites in the world use WordPress, and if used correctly, is generally very secure. It’s a very versatile content management system and allows site owners to build and manage websites relatively easily.
Because so many websites are built using WordPress, it is unfortunately a big target for hackers. It is an open-source system, which means that its core software and much of the plugins that are used are open for hackers or anyone else to examine in detail and find vulnerabilities. This openness however is actually a good thing, as it also enables a very large community of developers to examine the software and hopefully fix any vulnerabilities before they are exploited.
Websites are hacked for many reasons
There are many reasons why websites are hacked:
- To steal data contained on the site
- Use the web server to attack other websites
- To attack or hack the people visiting the site
- For sending Spam
- For a ransomware attack
- Or simply to vandalize your site for no purpose at all
There are also lots of different types of attack that hackers may use:
- Brute force attack: Trying thousands of usernames and passwords to guess password to access your site.
- Denial of Services (DoS) attack: Sending thousands of requests to your server at once to overload and break the site.
- SQL injection: Sending requests to your server designed to hack your websites data or its software.
- And many more…
For each of these different types of attacks, different tools and website security strategies need to be used to protect you and your websites from the constant hacking attempts that all websites are subject to.
WordPress theme and plugin updates
WordPress websites are built by using the WordPress core software. Themes and Plugins are added to create the desired look, feel and functionality. All these pieces of software are regularly upgraded and made available to allow site owners to upgrade their sites with new features.
If security vulnerabilities are found in any software, the developers of that component will release a security upgrade to protect its users. Unfortunately, by releasing a security upgrade to protect against a vulnerability, it also allows hackers to better understand the vulnerabilities of the previous version of the software and so potentially attack any website that has not yet upgraded.
In the majority of cases where a site is hacked, it has been because the website owner has not updated their site. With WordPress, there is an option to run updates automatically as soon as they are available. There are potential problems with this, as updates can cause things to break. However, this is likely to be a less significant issue than the consequence of a serious hack.
In many cases, the website has been built by someone who may be familiar with building an attractive website. But they perhaps may not have much knowledge of website security. Even if it’s a professional website developer who knows about security, they may have only been employed to create the site. It’s then in the hands of the website owner to maintain it.
Website security is not a single solution. Rather, security is built up of many layers of defence. So if one layer is breached, there are further layers to stop the attack, monitor what is happening and raise the alarm.
Jan uses many different tools and approaches to protecting his sites and recommends the following:
- Firewall to protect the whole system: Wordfence
- MalCare for Malware Removal
- For Jan, Cloudflare is the best service ever – he’s a big fan. He uses their DNS on a free plan, although there is a business plan that is not too expensive
- Contact Form Honeypot when adding extra protection to forms
- reCaptcha – for those ‘I am not a robot’ tick boxes
Web hosting can also create problems if not done correctly and Jan uses Cloudways and SiteGround.
The vast majority of hacks are due to software that should have been upgraded.
After this, the next most common hack is when a hacker gets access to a valid password. Again, there are many ways that you can protect your site.
Use unique complex passwords and be careful that these are not recorded in ways that these could be accessed by a potential hacker. Two Factor Authentication (2FA) is a very good way to improve upon this, although Jan warns against using SMS for this as this is now seen as insecure.
What if you get hacked?
Even with the best security, please don’t think that you won’t get hacked. Assume that you will be the subject of a hack, and make a plan for when this happens.
There are firms around that can help with these problems. However, Jan’s recommendation is that if your website is hacked, the best solution may be to replace everything rather than trying to fix the damage that has been done. Of course, this in itself may not fix all the issues, especially if data has been stolen or deleted, as there may be no way of getting it back. If data is accessed, then many people may have to be informed and they may have to take urgent action to protect themselves.
Adopting a damage-limitation approach to data may mean that you don’t keep data that you don’t need and that the data you keep is encrypted where possible.
This blog is part of my series on Data Privacy. While the dangers of getting hacked should be a big motivator to encouraging you to embrace the concepts behind Data Privacy, it is perhaps not the main reason.
Next week’s blog will be looking at some of the opportunities that a data privacy approach can bring to you and your organization. If you would like me to send you notifications of my blogs, please subscribe to this website and my YouTube Channel.