As a website platform, WordPress is undoubtedly one of the most popular: of the billions of websites on the internet, it's estimated that around 27% of them run on the WordPress CMS.
But with popularity comes a number of challenges and in the digital world, one such challenge is being a target for hackers and other opportunistic cyber-security threats.
So, due to its popularity WordPress users have become a target and if you don't keep your site maintained and up to date, you're at risk of someone exploiting an unpatched vulnerability or gaining access to your site and taking it over.
But, don't worry, here's five things you can do to make sure you're not the victim of a website hack:
Keep WordPress up to date
In 2017 there's already been two security related updates to WordPress (4.7.1 (11th Jan) and the most recent (26th Jan) 4.7.2). These releases were considered security releases to previous versions and should be applied to your WordPress install. When was the last time you've checked that you're WordPress software is up to date?
Security updates are typically carried out automatically. However, it's not unknown for some web developers to turn off automatic updates so that they can manage the upgrade in case it causes problems with the website. In these cases you need to either, carefully, carry out the updates manually yourself or take out a support package with your web developer to do the updates for you.
Because of the way hackers can scan sites and identify unmatched installations, it's possible that if you didn't update WordPress when there's a security release, your site could be spotted as still vulnerable and then exploited. Obviously depending on what the security issues are, what will happen, will depend if that's taking over your site, accessing site content or data, using your site to attack other sites, sell illegal goods, etc.
Keep your other WordPress files up to date
It's also important that you keep your theme files and plugins updated to. From time to time these extras to the WordPress core have security vulnerabilities too and if they're not patched your site could be exploited via these vulnerabilities. You should also try and avoid using unsupported plugins because if they're not supported, if a security issue is found the plugin may never be patched.
By keeping installed plugins and theme files to a minimum - i.e. only keep installed the ones you're actually using, you'll have less work to do if security issues are found, as well as less risk.
Use sensible login credentials
It's amazing how bad a lot of system passwords are. If you have a weak password for admin access to your WordPress site then your site is vulnerable to a hacker. And if you have obvious login names (e.g. admin) then it just makes it easier for hackers to guess their way into your site.
It's not difficult to carry out a brute force attack on a site. Brute force attacks are when a computer script is used to repeatedly guess login names and passwords - if you have an obvious login name and a weak password it wouldn't take much to brute force guess your login credentials!
Tip: if your system auto-suggests complex passwords to use, sometimes its best to go with them than use something that you think is only obvious to you.
Use WordPress security software
There's a number of well establish security plugins for WordPress which can provide a number of features which can help protect your WordPress site from outside threats, by providing
- firewalls to protect from persistent login attempts and vulnerabilities
- two-factor authentication for login (i.e. a two step login process using, usually, your mobile phone as part of the login, so even if you login and password is guessed, only someone with your mobile phone would be able to login into the site)
- scans to monitor your site for malware and spot files which shouldn't be in your WordPress directory (often, if a site is compromised, the hacker will install malicious files within your WordPress install)
- regular email updates so you're aware of any immediate issues and any software updates that need addressing
Backups of your site are a good idea anyway, but if you have an off-site back up of your database and content then if anything was to happen and your site was compromised you'll have the content to get it back up and running again.
Due to WordPress's popularity, there's a rise in hackers attempting to gain access to WordPress website to exploit it's content and access it's data. But it's not difficult to protect your site and take steps to mitigate any risk from outside attack.
Next time to you speak to your web developer, ask them about what they're doing to secure your website and put in place some protections of your own.