Why you need a pro to manage your WordPress updates and security? - Adame Dahmani

Why you need a pro to manage your WordPress updates and security?

WordPress is by far the best multi-function publishing system out there. About 30% of the Internet uses WordPress to build their website :) and it’s even taking on ecom with WooCommerce backing 7% of online stores (vs. 18% for Shopify, a specialty ecommerce SaaS). Such success unfortunately brought hackers to the party too. They want a piece of it. According to Sucuri’s Hacked Website Report 2018, WordPress is by far the most hacked platform of the year (2018) with 90%. Other facts highlighted by the same report:
  • Outdated WordPress version triggered 36.7% infections
  • Compromised and outdated plugins are responsible of 10k+ hacks 2018
  • Lack of security knowledge and overall site maintenance are common factors too
  • Backdoors, Malware deployment, SEO Spams campaigns are the most used hacking tactics and techniques
Things don’t look bright from WordPress’ security side on the upcoming years. [partial id=”7911″] WordPress is advertised as the perfect DIY publishing system. It has the best themes and plugins for a budget price which is the main attracting side for most users. But to make a good use of the platform, a good understanding of how WordPress works is vital. That understanding comes by repetitive use of the platform. What WordPress advocates miss to mention is that you need a more than average technical understanding to really get by the most common use case scenarios. And that needs learning programming languages. We are talking at least:
  • HTML and CSS, if you want to better control the design
  • and PHP and MySQL, if you want to quickly fix bugs and if the site breaks down – and that happens more than often
Gets tougher when dealing with WordPress updates and security. You are no longer swimming the publishing tool waters… It needs a specific skills set.

Updates and upgrades are not as easy as you think

Updating a theme or a plugin sound like a piece of cake. One click, and you’re all set, right? If you can afford the risks of diving-in unprepared… be my guest :) Click the update button and wait for you fate ;) To be clearer, it is absolutely not the way WordPress updates should be handled. If you are doing that, you need to stop and reconsider :) As any program, an update can crash for multiple reasons.
  • It could be a bug on the theme or the plugin.
  • Or an incompatibility with your server stack (PHP version, web server used).
  • Or a conflict with another plugin or function you have on your website.
You really need to be positive you’re prepared to proceed with updates on your own… Check the following questions to assess if you are DIY-updates-ready:
  • Do you backup your website before doing updates and upgrades?
  • Do you check first if an update has any particular incompatibility before proceeding?
  • Do you have a fallback plan to quickly push a working version of your website if things break?
  • Would you be able to find why things went wrong and fix it?
  • Can you keep up with the themes and plugins updates schedule?
  • Would you be able to find and apply critical security patches when released even if you didn’t get an email from the theme or plugin author?
As you can see, keeping WordPress up to date is definitely not a one click task ;) It requires way more time, attention, information access, and knowledge than you can imagine.

WordPress security is not a plugin :)

Most of WordPress users assume that using a plugin like Wordfence means that their website is fully secure. It’s unfortunately not the case. WordPress is secured like any Internet facing system. You need to secure the application (WordPress), its server, and the network. Wordfence, for example, is just tool that we use to secure and monitor some aspects of WordPress. The free version has a soft firewall that help cut easy attacks, and perform scans occasionally. It doesn’t fully protect the application, and does absolutely nothing to protect the network or the server. It’s more of a monitoring system, among others, to help catch some types of hacking attempts. Here is a couple of questions for you to access if you can take care of your website’s security on your own:
  • Do you know how to audit and strengthen your website’s security?
  • Can you keep track of vulnerabilities affecting your website’s ecosystem? including the main theme, plugins, web server stack?
  • Will you react fast enough to patch or secure a 0-day exploit?
  • Can you monitor your website’s activity and check all suspicious activities hitting your website on a daily basis?
  • Can you know if your website’s security is being tested?
  • Can you stop an ongoing attack?
Again, as you can see, WordPress security is way beyond activating one single plugin :)

So… where do you stand?

  • Do you have enough knowledge and time to take care of your website’s updates and security?
  • Can you spend countless hours to do it right?
  • Is your time better spent maintaining your website or growing your business and network?