How alarming is it to receive an email about an unauthorized login attempt to your WordPress account? Do you even have a WordPress login notification setup?
Don’t worry that’s about to change; Daan Tol (owner of WPLift) got in touch with me, and we had a long conversation about WordPress security. Both of us knew that WordPress security is one of the biggest concerns for WPLift visitors. That’s why I have decided to start writing a series about WordPress Security. In this series, I will talk about everything you need to know and more about securing your WordPress website.
How am I qualified to talk about this subject? Well, I have been developing with WordPress for over a decade now. I love to write, talk, build, and share everything about WordPress. Moreover, I have been contributing code to the WordPress core since WordPress 4.2. That said, I had dealt with a lot of hacked WordPress websites when I used to take clients for backend/frontend optimization. That helped me understand a lot about this topic. So, let’s just say you are in safe hands. Let’s get started.
In today's digital landscape, web security is a necessary evil. The evolution of technology has posed significant challenges in auditing website security. Keeping information secure is a big task in itself.
Hackers are continuously looking for a security vulnerability and leave no chance of plaguing your data. Did you read about how Outdated and Vulnerable WordPress and Drupal Versions May Have Contributed to the Panama Papers Breach? For these reasons and more, a consolidated web security plan has become a vital ingredient of setting up your online presence.
Why People Don't Lock Up Their Websites?
For someone who clearly knows the worth of securing a website and is still not doing is incomprehensible to me. The only reason which I understand is a sheer lack of awareness. Or probably, the information which resides online may not be precious enough to be stored (that’s hardly ever a case). Another bad approach is to think that hackers may not attack because you own a small online business that no one really cares about. Well, I have news for you, as much as you want the hackers attention to be focused on targeting the big shots, hacking is no more a manual process. What that means is, hackers have built automated systems, which keep an eye on any vulnerabilities in a number of scripts, whenever they get hold of a vulnerability or two, they start searching for sites using outdated script that were never updated to patch those security leaks. Once they find any number of websites, they exploit all of them.
More often than not, I tell clients, WordPress is easy to use, it’s not easy to manage. No online self hosted script is easy to manage. Why? Because you get to have the complete control over it. And if you don’t keep yourself up to date about WordPress security, there’s a chance you might get hacked. You might be thinking, what’s the solution to all this? Well, keep reading and you’ll know.
Why Is Website Security So Important?
A security breach can be very dangerous because a website that is your brand is the first form of contact you have with your customers. You would certainly not want to compromise on your business relationships. If your site isn't secure then, your customer information will be at stake; your business can be at stake as well. Details like names, email ids, credit card numbers, and passwords may leak or in the worst case; your site may even crash. What if the next day you wake up only to find out that a hacker got access to your server and deleted everything in there. What’s your plan there?
Likewise, a single security breach may pose a grave risk to other related businesses and sites as well. E.g. a photography website infected with a particular malware may spread to the same malware to other websites being served from a shared host on your end.
Earlier this year, WordPress crossed its 25% global web market share and is continuously increasing. But an interesting fact to ponder upon is how such a huge user base is keeping itself immune from security threats? It isn't the case that the WordPress is safe from the target of hackers. In turn, the more popular a CMS is, the more it is at risk. Careful there, this doesn’t mean that a popular script is at fault. All it means, is you have to take care of the web security and patch any vulnerabilities the sooner, the better.
Panama Papers leak is the most viral breach which occurred recently, maybe by an outdated WordPress plugin. According to Forbes & Sucuri, nearly 30,000 websites are hacked every day. But luckily all of these are not WordPress websites. However, the sites which are not being updated and keep running on versions with known security issues become an easy target for hackers.
WordPress is an open source script. It is managed by the WordPress Foundation and developed by good folks of the WordPress Community. In most cases, when a web security company discovers a security issue with WordPress, they get in touch with the lead developers, WordPress gets patched, and millions of WordPress websites are auto-updated (depends on your WP Setup and Hosting company). It’s only after taking all these measures; the security company makes a responsible disclosure.
According to Wikipedia:
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period for repairing the vulnerability and preventing any future damage.
I only tell you about this to make it as clear as it can be — WordPress is secure. But this discussion doesn’t end here. I will talk about this more in this series.
On the other hand, WordPress Codex provides some effective tips in this respect. But, a primary reason that keeps WordPress so safe is that the CMS and its products keep regularly updating thus removing all sorts of vulnerabilities. A recent survey revealed certain alarming facts which need attention:
Around 76% of WordPress users don't have an up to date backup of their WordPress website. And if their website goes down, 67% of those same respondents would give hundreds of US dollars to get it back online.
These eye-opening facts, have forced WordPress security experts to emphasize on investing in WordPress security if they want to keep their websites secure. Which in means a smooth running online business. Unfortunately, a majority of the WordPress users are not tech savvy and security is not their cup of tea. But that is not justifiable enough to give up on your website’s security.
If users try to address this problem, they get overwhelmed with too many available security solutions and services and end up being utterly confused. Most of the time, I find users asking the following questions:
- Which security plugin should I use?
- Is using one security plugin enough?
- What kind of web host is right for my website?
- Should I use SSL or not? Is it safe to use a free SSL certificate?
- Should I subscribe to an online security scanner?
- When should I hire a WordPress Superadmin to perform the security audit and to maintain my online presence?
These are the questions which I plan to answer in this series.
The Final Plan
Yes, that’s the plan. In this WordPress security series, I will make things easier for you to understand. I will share all the information which you need to decide the best WordPress security solution that suits you the most. I intend to do so by writing about almost each and every aspect of WordPress security. I'll cover topics like admin and password security, scanning and keeping backups, security keys, hacking and several security solutions. What to do when your website is hacked?
Every single post will be a full blown security guide in itself and will also be referenced in other articles of the series. It'd be like a WordPress beginner jumping from one step to another to learn WordPress security 101. So, hold on tight and prepare yourself to be a part of this amazing WordPress security ride.
Towards the end of the series, you will have a firm command on some of the best practices which must be considered while you make a solid plan to secure your WordPress website.
That’s all you needed to know about what we are going to learn in this series and why is that so important. Currently, there are more than 15 articles in this series. That’s not all, if I miss something, you’ll be able to request that, and I will make sure to cover it in the next article.
If you are a WordPress user, a novice developer, or just a WordPress freelancer who is concerned about the security of WordPress websites, then you are in the right place. I’m sure this series will be of great help, and you'll gain evergreen knowledge about how to keep your websites secure.
What are your expectations from this series? What kind of articles do you want to read? Share your feedback in the comment box below.
Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.