WordPress is by far the best multi-function publishing system out there.
About 30% of the Internet uses WordPress to build their website :) and it’s even taking on e-commerce, with WooCommerce backing 7% of online stores (vs. 18% for Shopify, a specialty e-commerce SaaS).
Such success, unfortunately, brought hackers to the party too.
They want a piece of it.
According to Sucuri’s Hacked Website Report 2018, WordPress is by far the most hacked platform of the year (2018), with 90%.
Other facts highlighted by the same report:
- An outdated WordPress version triggered 36.7% of infections.
- Compromised and outdated plugins are responsible for 10k+ hacks in 2018.
- Lack of security knowledge and overall site maintenance are common factors too0
- Backdoors, Malware deployment, and SEO Spams campaigns are the most used hacking tactics and techniques.
Things don’t look bright from WordPress’ security side in the upcoming years.
WordPress is advertised as the perfect DIY publishing system.
It has the best themes and plugins for a budget price which is the primary attractive side for most users.
But to make good use of the platform, a good understanding of how WordPress works is vital.
That understanding comes from the repetitive use of the platform.
WordPress advocates miss mentioning that you need a more than average technical understanding to get by the most common use case scenarios.
And that needs learning programming languages.
We are talking about at least:
- HTML and CSS, if you want to better control the design.
- and PHP and MySQL if you want to fix bugs quickly and if the site breaks down – and that happens more than often.
Gets tougher when dealing with WordPress updates and security. You are no longer swimming the publishing tool waters…
It needs a specific skill set.
Updates and upgrades are not as easy as you think
Updating a theme or a plugin sound like a piece of cake. One click and you’re all set, right?
If you can afford the risks of diving in unprepared… be my guest :) Click the update button and wait for your fate ;)
To be clearer, it is absolutely not the way WordPress updates should be handled.
If you are doing that, you need to stop and reconsider :)
As with any program, an update can crash for multiple reasons.
- It could be a bug in the theme or the plugin.
- Or an incompatibility with your server stack (PHP version, web server used).
- Or a conflict with another plugin or function you have on your website.
You really need to be positive you’re prepared to proceed with updates on your own…
Check the following questions to assess if you are DIY-updates-ready:
- Do you back up your website before doing updates and upgrades?
- Do you check first if an update has any particular incompatibility before proceeding?
- Do you have a fallback plan to quickly push a working version of your website if things break?
- Would you be able to find out why things went wrong and fix it?
- Can you keep up with the themes and plugin updates schedule?
- Would you be able to find and apply critical security patches when released, even if you didn’t get an email from the theme or plugin author?
As you can see, keeping WordPress up to date is not a one-click task ;)
It requires way more time, attention, information access, and knowledge than you can imagine.
WordPress security is not a plugin :)
Most WordPress users assume that using a plugin like Wordfence means their website is fully secure.
It’s unfortunately not the case.
WordPress is secured like any Internet-facing system. It will require securing different aspects of it.
Wordfence, for example, is just a tool that we use to secure and monitor some aspects of WordPress security.
The free version has a soft firewall that helps cut easy attacks and perform security scans occasionally.
It doesn’t fully protect the application and does nothing to protect the network or the server.
It’s more of a monitoring system, among others, to help catch some types of hacking attempts.
Here is a couple of questions for you to ask yourself if you can take care of your website’s security on your own:
- Do you know how to audit and strengthen your website’s security?
- Can you keep track of vulnerabilities affecting your website’s ecosystem? including the main theme, plugins, and the web server stack?
- Will you react fast enough to patch or secure a 0-day exploit?
- Can you monitor your website’s activity and check all suspicious activities hitting your website daily?
- Can you know if your website’s security is being tested?
- Can you stop an ongoing attack?
Again, as you can see, WordPress security is way beyond activating one single plugin :)
So… where do you stand?
- Do you have enough knowledge and time to take care of your website’s updates and security?
- Can you spend countless hours doing it right?
- Is your time better spent maintaining your website or growing your business and network?
If your answer is no to any of the above questions, you should hire a professional to handle your website’s security.
If your answer is yes to all of the above questions, you are in an excellent position not to need professional help to security your website.