WordPress is by far the best multi-function publishing system out there. About 30% of the Internet uses WordPress to build their website :) and it’s even taking on ecom with WooCommerce backing 7% of online stores (vs. 18% for Shopify, a specialty ecommerce SaaS). Such success unfortunately brought hackers to the party too. They want a piece of it. According to Sucuri’s Hacked Website Report 2018, WordPress is by far the most hacked platform of the year (2018) with 90%. Other facts highlighted by the same report:
- Outdated WordPress version triggered 36.7% infections
- Compromised and outdated plugins are responsible of 10k+ hacks 2018
- Lack of security knowledge and overall site maintenance are common factors too
- Backdoors, Malware deployment, SEO Spams campaigns are the most used hacking tactics and techniques
- HTML and CSS, if you want to better control the design
- and PHP and MySQL, if you want to quickly fix bugs and if the site breaks down – and that happens more than often
Updates and upgrades are not as easy as you thinkUpdating a theme or a plugin sound like a piece of cake. One click, and you’re all set, right? If you can afford the risks of diving-in unprepared… be my guest :) Click the update button and wait for you fate ;) To be clearer, it is absolutely not the way WordPress updates should be handled. If you are doing that, you need to stop and reconsider :) As any program, an update can crash for multiple reasons.
- It could be a bug on the theme or the plugin.
- Or an incompatibility with your server stack (PHP version, web server used).
- Or a conflict with another plugin or function you have on your website.
- Do you backup your website before doing updates and upgrades?
- Do you check first if an update has any particular incompatibility before proceeding?
- Do you have a fallback plan to quickly push a working version of your website if things break?
- Would you be able to find why things went wrong and fix it?
- Can you keep up with the themes and plugins updates schedule?
- Would you be able to find and apply critical security patches when released even if you didn’t get an email from the theme or plugin author?
WordPress security is not a plugin :)Most of WordPress users assume that using a plugin like Wordfence means that their website is fully secure. It’s unfortunately not the case. WordPress is secured like any Internet facing system. You need to secure the application (WordPress), its server, and the network. Wordfence, for example, is just tool that we use to secure and monitor some aspects of WordPress. The free version has a soft firewall that help cut easy attacks, and perform scans occasionally. It doesn’t fully protect the application, and does absolutely nothing to protect the network or the server. It’s more of a monitoring system, among others, to help catch some types of hacking attempts. Here is a couple of questions for you to access if you can take care of your website’s security on your own:
- Do you know how to audit and strengthen your website’s security?
- Can you keep track of vulnerabilities affecting your website’s ecosystem? including the main theme, plugins, web server stack?
- Will you react fast enough to patch or secure a 0-day exploit?
- Can you monitor your website’s activity and check all suspicious activities hitting your website on a daily basis?
- Can you know if your website’s security is being tested?
- Can you stop an ongoing attack?
So… where do you stand?
- Do you have enough knowledge and time to take care of your website’s updates and security?
- Can you spend countless hours to do it right?
- Is your time better spent maintaining your website or growing your business and network?