You invest a lot in your website…don’t lose it!
WordPress Security and Implications for Websites Whether you do the work yourself or contract it out you’ve made an investment of time and money. First you secured a domain. Next came a cascade of decisions. From picking WordPress as your content management system (CMS) to picking a theme, arranging hosting to finally pressing your site and going live.
During the process, did you consider site security? If you didn’t, you are probably reading this page because your site has been hacked and you are looking for answers. If you’re lucky, you’re reading this before a hack and can use this information to help you lock your site down.
WPbutler365 is the solution! Let us handle all your WordPress security needs.
Avenues of Vulnerability
Hackers are highly resourceful miscreants. They know many different ways to access your site’s files. It’s important to understand all the different avenues of vulnerability in order to secure WordPress.
Just like safeguarding your house, it doesn’t do any good to lock the front door if the bedroom window is open. The main avenues of vulnerability are the administrator and their computer, the server, the CMS code, and 3rd party services.
This is usually the easiest place for hackers to gain access. It can be as simple as foolishly logging in on an unsecured network. You should be able to count on the network at your home or office to be secure. That’s because you made sure it was secure when it was initially set-up. What you can’t count on is the security of wireless networks. No one should sign on to your accounts from an unsecured wireless network.
The administrator’s computer should be secure as well. Hackers can infiltrate and install keystroke tracking programs to grab passwords, user names, and any other valuable information accessible by your administrator.
Speaking of passwords, you wouldn’t believe how often people forget to change system default login names. If a hacker has the user name, all they need to do is figure out the password. Hackers know people forget to change default user names and count on it to get half of the information they need to access your site. Never use Admin as a username. Never. Ever. That’s WordPress security 101.
And when it comes to access, only the administrator needs administrator privileges. The more people that have administrator privileges the more vulnerability you have. Access should be tightly controlled. Individuals should never have more access than they need to complete their assigned duties. If you want to secure WordPress, you must secure access.
No matter how secure you keep the administrator’s computer, it doesn’t do any good if the server is not secure. To provide an extra layer of WordPress security, the server should be isolated from other business activities. That’s usually not a problem for small business.
Most small businesses pay for “hosting” services. Since the server is an avenue of vulnerability, you want to choose a hosting company wisely.
The server should not allow open redirects. There might be a valid reason for a validated redirect. For example, you might have taken the information from an old page and moved to a new location. Or the pages on your site might have a new structure for SEO purposes. In those instances, a call to the old page should serve up the new page.
However, the server should never allow directing away from your domain and it certainly should prohibit any redirect that is not validated. Not sure if this is true for your server, then just ask!
In addition to the basics such as stopping redirects before they can start, the server operating system (OS) must be kept up to date. If it isn’t, your site and every other site on the server are vulnerable. Once hackers identify a vulnerability in an OS they go on a hunt to find every installation with that vulnerability. That’s how a new site, barely noticed and generating low traffic can be hacked and killed before it ever has a chance to gain traction. That’s why it’s important to secure WordPress from the very start.
In addition to the latest OS version, the application software residing on the server along with your data needs to be kept to the latest version. That leads us to your CMS code. In the case of WordPress, the web manager needs to ensure that the latest version of WordPress is always installed on the server.
WordPress sites operate off of a core WordPress code. This core is updated about twice a year. These major updates are always named for a jazz musician and introduce new features and functionality. They are not generally loaded with security updates. However, all year long, WordPress releases security updates in response to identified vulnerabilities. What this means is that by the time WordPress has released an update, the vulnerability has already been identified and hackers already know about it. Every site that isn’t updated remains vulnerable. The core code also contains features that hackers can use to gain access unless you take action to block it.
For example, WordPress is set up for unlimited attempts at entering wrong usernames or passwords. This makes the CMS ripe for brute force attacks. In other words, a hacker can run programs to guess your username or password and the program will run until it figures it out.
If you have weak passwords or usernames or didn’t change the default user names it might not take too much “brute force” for their brute force attack to be successful. They will have all the time they need to figure it out.
Websites with databases have additional vulnerabilities. SQL injection can be used to hack your site. With this technique, the hacker adds malicious commands to input fields. This technique can be used to add spam, malware, or even dump your data to another location specified by the hacker. Some SQL vulnerabilities only require the hacker to have an account on the victim’s site. Not an admin-type account, but a simple user account as frequently used by e-commerce sites for the convenience of their customers.
Other WordPress security vulnerabilities lie in the particular theme installed. What makes WordPress so popular is the wide number of themes that allow you to start a site from a pre-designed template. Instead of starting from scratch with a blank screen and slate; you start with a template that contains predetermined formats, layouts, and functions. Since themes are programs, they are vulnerable. Themes need to be kept current.
Plugins are also programs that you use as part of the total WordPress CMS to perform certain tasks. Plugins to handle galleries, comments, navigation, and comments just a few of the common plugins. These plugins are mini programs and they are an avenue of vulnerability.
Themes and plugins can be free or offered for sale. Either way, they require a commitment from the developer or the development team to keep them current and updated. The worst possible scenario is to purchase a theme that relies on the developer’s domain and the developer no longer supports the theme and lets the domain expire. Hackers pick up the expired domain and now have access to spam every site using that theme. This may sound farfetched, but it has happened. Hackers count on you not being able to think as creatively about your security as they do.
Third Party Services
Third party services is a term that refers to everything between you and your customer that isn’t handled directly by one of your employees. WordPress is a third party service.
Your themes, plugins, and your hosting company are third party services. The company that processes your credit cards is a third party service. We’ve already covered those. Here are some other services to consider.
The credit card companies require you to be PCI DSS compliant. Take this seriously if your site processes or stores credit card information. If your site is hacked and customer credit card information is hijacked your company is responsible. What seems like a hassle to a merchant is really another layer of protection.
One common method of increasing site loading speed is to use the services of a content delivery network (CDN). This relatively inexpensive service stores copies of your website on servers around the world and delivers your data to the user based on their geographic location. This is another avenue for hackers to gain access.
High Cost of Lack of Security
In their 2015 yearly report, The Ponemon Institute noted that the cost of cybercrime rose 19%. The average annualized cost of a breach is now $7.7 million dollars. While they define cybercrime as criminal activity conducted via the internet, it does include theft of intellectual property, distribution of viruses, confiscating banking information, and just about any malicious mischief or chaos created by hackers.
The United States is second only to Russia in the amount of one-year net change in cybercrime damage. The trend is not in a positive direction. There’s a definite relationship between organization size and annualized cost. It’s no surprise that smaller companies incur a higher per capita cost per attack.
Secure Your Site
The first thing you must understand is that no thing, nowhere, and nobody can guarantee that your site will be 100% secure from all forms of security attacks at all times in all places. If any company, product, or individual tells you this, they are not being truthful.
Real site security is concerned with reducing the risk to security to miniscule levels. To paraphrase Donkey talking to Shrek “Parfaits or onions, they all have layers.”
Effective security is all about layers.
It’s also no surprise that that attacks can get costly if they aren’t resolved quickly. By far the greatest cost is the disruption to business. When you’ve been hacked, you aren’t in business, you are in disaster recovery mode. The study showed that companies that employ expert staff and security protocols can moderate the cost of cybercrime by $1.5 million
Think those numbers sound inflated? Then chew on this. If your site has been hacked or hijacked the first indication you get might be a notification from Google. If Google determines your site is compromised your hard earned rank is gone immediately. Your site disappears from the web because Google has delisted you. Your site will stay delisted until Google has determined that you are allowed back into the searchable web. Gone just like that. Poof!
Now start to figure in the cost to rebuild the site, remove malware or spam content, close the vulnerability and work to get back in Google’s good graces. If you don’t have the technical skills to do this yourself or have the skills in-house to get it done you are going to need the services of a team of professionals that specialize in this type of disaster recovery. Those are highly technical skills and they won’t come cheap.
What if customer data was compromised? Your company is legally responsible for keeping customer data secure. If data is compromised, your company is responsible. You must notify your customers of the breach and the steps you are taking to help protect them going forward. That’s all on your dime.
Start with User Names and Access Levels
There should only be one Administrator. For added security, use two factor authentication for Administrator. This requires the site Administrator to use a secondary, time-sensitive code from a second device to login.
Don’t use the Admin user name on posts. Each post author should have a user name and only have the access they need to get their job done. If you don’t think this is important; try this:
Type this in your browser:
where “yourdomain.com” is the URL for your domain. If you haven’t used the “Admin” user name, the home page for your website will appear. If you have used “Admin” you will get an archive of posts by the author “Admin”. That might not sound like important information, but remember if a hacker does this, it automatically tells them one-half of the information they need to log-in. Now they have the user name; they just need the password.
Next Look at Passwords
Don’t ever use the same password for more than one application. Make sure your passwords are strong. They should be a combination of numbers, letters, and characters.
Want to see how secure your password is? Go to http://howsecureismypassword.net and type in your password. I discovered it would take a computer program 34 million years to guess my password. How secure is yours?
Remember weak passwords are vulnerable to brute force attacks.
Utilize CAPTCHA and reCAPTCHA to thwart bots.
Limit sign-in attempts for username and password to 3 or 5 tries before locking the site.
Secure the Server
Isolate the server. Keep the website and all other business applications on different computers. Make sure you use the services of a trusted company like WPvaletwebhosting.com for your web hosting. That’s a hosting service that only hosts WordPress sites, so you know the core code is secure.
Ask if the OS is updated with every release, if the server allows open redirects, and if they are responsible for updating the CMS.
Secure the Site
Make sure every major and minor update to WordPress (or whatever CMS you use) is installed immediately upon release.
Make sure every update to the theme and every plugin is installed immediately.
Scan site regularly for malware and malicious code.
Ban bad users and users that generate excessive 404 requests
Block specific IP addresses from your site or block by geographic region
Insure that all third party services (such as CDN and card processing) are secure.
Get WPbutler365 and Get Security
If your head isn’t swimming with all the implications of website security and securing your WordPress site then you probably need to read this over again because you still don’t get it.
If you get it; you realize you need a professional WordPress management company to handle your security. You need WPbutler 365.
WPbutler365 is the Jeeves of WordPress. We will manage your backups, updates, and site security for one low monthly fee.
For less than the cost of pizza for the whole office you get:
Real-time updates to WordPress
Immediate updates to your WordPress theme and plugins
Admin and Login masking
Regular scans for malicious malware
Brute force protection
WordPress file comparisons to identify malicious code
But that’s really just the start. In addition, you will get regular reporting. If someone exceeds login attempts, we’ll let you know. If anyone changes your files (even if it’s you!) we’ll email you and let you know. We can harden your site with changes to WordPress salts and we will regularly backup all of your WordPress files. If the worst happens, we will be there to help you recover.
With the cost of lax security so high and the cost of WPbutler365 so low you’d be crazy not to sign up today.