Is your site secure? With the latest WordPress security venerability I have had a number of people ask me if WordPress is a safe platform to build a site upon. In short, the answer is ‘Yes’. There are a few reasons why it seems there are always WordPress sites being hacked. This is mainly due to WordPress powering nearly 75 million sites on the internet and not all of these are employing proper security techniques. I will be covering how to lock down your site later in the article but first a run down of what the latest security scare was and what it means for WordPress site owners.
Posted by the very popular security website, Sucuri, their explanation of the venerability is outlined below:
‘Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.’
‘The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.’
To correct the issue a lot of theme and plugin developers were required to update their products that misused these functions. Some of the most downloaded plugins were affected including Yoast SEO, JetPack, Gravity Forms and many more. Most plugins were fixed some weeks ago, so no need to panic if your site is running these particular plugins as along as you have performed the required updates.
To make sure your site does not fall victim to this venerability it is most important that all themes, plugins and your WordPress core are up to date. Before making these updates please make sure you take a full backup of your site in the rare case that something breaks. This part I can not stress enough.
Site security should always be in the back of the minds of site owners. A lot of people think their site will never get attacked but even a low traffic site will get hit daily by bots trying to force their way into your WordPress admin panel. This information is not designed to scare you but simply make you aware of the type of threats that are out there.
So how do we make sure we are protected?
The good news is there are a few things you can do to make sure your site is protected as much as possible. I say as much as possible because a website can never be 100% safe. So lets break down what can be done.
1. Choose a good hosting provider
The term ‘You get what you pay for’ couldn’t be more true when it comes to hosting. Did you know that 41% of successful WordPress hacks were due to hosting. That is a surprising number so it pays to do your homework and research before deciding on a provider. I’m not saying you need to buy the most expensive hosting package out there, but be careful and don’t think you are getting a great deal at $3 a month.
2. Security plugins
There are some great plugins both free and paid that add a ton of cool security features to your site. My personal favourite is Wordfence as it is very powerful, light weight and can potentially reduce page load times with it’s built in caching system. There are two versions available, free and premium, but the free version will do most things people need. The best feature of Wordfence is the ability to scan your WordPress core, plugins and theme files for suspicious looking code that shouldn’t be there. Other security plugins worth mentioning are iThemes security and All in One WP Security and Firewall.
3. Backup and restore plugins
In the past I have had people contact me about their recently hacked site asking me to restore it to it’s former glory. The truth is without a backup this is nearly impossible to do without re-building it. Often when hackers get into a site they will take what ever information they can and then sometimes start deleting files and assets off the server. Once files are removed from the server they can not be recovered unless there is a site backup. Most often your hosting provider will take nightly backup of the server however they usually only keep the most recent 7 days. This may sound well and good but what if the piece of malicious code responsible for the hack was laying dormant in your site for a month? All their backups would still contain the culprit causing the issue and you would have the same problems all over again.
A great way to avoid this scenario is to install a backup plugin and keep copies of your site on an external hard drive or you computer. As a rule of thumb I take a nightly backup of the site database and a weekly backup of all site files and assets. If you run a site that adds new content daily or an online store, I would recommend nightly backups for both files and database. Be sure to schedule these backups at a time where your site has low traffic as the backup will put a bit of performance pressure on the server and may affect the viewing experience for your visitors.
I personally use UpdraftPlus Backup and Restoration because not only can you can create schedules for automated backups you can also push the backups to third party storage services like dropbox. There is no point keeping all your backups on the server if you are unable to access the server if it gets hacked.
Updraft also has the ability to restore your site from previous site backups and the best part is it’s completely free with the option to upgrade for other premium features.
4. Secure your files with .htaccess
A .htacess file can be a powerful tool to your hosting environment. It provides a set of rules that tells your server how to handle directory indexing and which files can be access directly or not. These rules prevent attackers from trying to inject or change code in your WordPress core, plugins and theme files. This file can be a little technical and without the right knowledge can break your site all together. I recommend getting a developer to check over your .htaccess file and make sure it is configured properly to your WordPress setup. I provide this as a service for $75 AUD.
Well that’s it for now. If your site is covering using these few techniques you are giving your site the best possible chance against an attack. Remember, it’s not good enough to just prevent an attack but to also be able to recover from one. There is a ton of others security tips that can harden up your WordPress site but that was not the purpose of this article and will be covered another time.
If you want your site to have all these great features but unsure how to do it yourself, feel free to contact us and we can make sure you are protected. We offer great services at even better prices.