Is WordPress Safe?

Is WordPress Safe?

It’s a widely sites fact that WordPress powers 25% of the internet’s webpages. Think about that, 25%! And nearly 60% of the sites that use a CMS (content management system).

That is the main reason it is also a target. Like the popular Microsoft Windows or Android OS, WordPress powers so many sites that if you can find a way to compromise even a small percentage of websites using the system, you can gain access to literally millions of sites.

Because of this, one of the first questions I get when I suggest using WordPress is about security. But as I stated before, criminals and people looking to do general mischief as looking for the low-hanging fruit, the easy to hit sites. So with some basic precautions, your website can be even more secure than custom HTML sites.

Making WordPress Safe

There are a few basic steps that  web developer or your company IT guy can take to secure your new or existing WordPress site. Below is a list of plugins, best practices and other items used by BeBizzy Consulting and many others to make your site as secure as possible.

Backups

Let’s start off with the most important part of the security system. If you don’t have a good backup of the site, it doesn’t matter how you set the rest up. Something WILL cause your website to fail; the webhost could suffer an attack or hardware failure, you could alter some code and break the site, or a security breach could happen directly to your site. With no backup, there’s no easy way to return to “normal,” so at minimal do a complete backup of the site files, and don’t forget to back up the database. There are automated methods as well for this process which are highly recommended.

WordPress Updates

The easiest way to gain access to a WordPress is through an out-of-date WordPress system. I’ve recovered sites running on 2.x (current is 4.7), and that’s a scary endeavor. WordPress puts out major releases a couple of times per year, and security patches about once a month or so to stay ahead of the pinholes that are found in WordPress. The best part is there are thousands of people who are looking at WordPress, for good and for bad, that identify issues and get them repaired. Keep you site updated and make sure PHP version can handle the update. If not, time to move!

I also suggest turning on automatic core updates. You should be able to toggle a switch that will update WordPress automatically for “X.x.x” updates, keeping your site secure without you even trying. Just make sure you test the site when notified of an update to make sure everything is running as it should.

Plugin Updates

The next best way to gain access to WordPress is through outdated, or poorly programmed plugins. Last summer I worked on recovering a WP site that had a plugin that had not been touched by the developer in over five years. When I updated the site to a new WP version, the plugin crashed and I had to find an alternative, more updated plugin that worked close to the same. But it’s not just keep the plugins updated, it’s keeping an eye open for poorly secured plugins as well. Do some research on a plugin before installing. Has anyone ever suffered a breach or WordPress crash after installing? What is the support like? How often do they update?

One thing that is often overlooked is deleting themes that are not being used, or are even active on the site. This is extra code that has been abandoned for one reason or another, and leaving it on your website can open a hole you don’t even know is there.

A final note on plugins, themes and other items is to NOT use pirated versions of software. Most plugins are fairly inexpensive and the alternative to paying $10 for a plugin is often spending hours, or even paying hundreds of dollars to have malicious code removed from a site. Pay the $10.

Themes

Next on the list of vulnerabilities is your theme. Every WordPress site is working on a theme, whether it’s the 2016 theme that came installed or one you paid for or got for free. Again, do a little research to make sure the theme you are planning to use isn’t a know security issue, does not get updated or supported, or is poorly written before you install it on your site. Then, update it as soon as you get a notification it has been revised.

More Security Steps

Below are a few other steps that are taken by BeBizzy Consulting, and should be considered by your team, host, or developer to make your site as secure as possible.

Change Username

Like on a computer or virtually every other system, do not use “Admin” as your administrator username. Pick something a bit more robust and always use a secure password. Changing the password often also makes it more difficult to keep access once it is achieved.

Move The WP-Login.php Page

There are several plugins that allow you to choose a different admin login page for your site. Install one of them and rename your login to something less known can eliminate some from even trying to access your admin simply because it doesn’t exist at the usual spot.

Install a Security Plugin

Many sites have Sucuri or Wordfence installed to protect the admin and other parts of the site. Even the free versions will notify you when the admin is accessed, limit login attempts at wp-login.php and the premium versions can lock down the admin to specific locations or IP address, security scans for malicious code, and much more.

Keep Your Site Safe

There are definitely more ways to secure your WordPress site. Editing the .htaccess file, hiding WordPress from source viewers, hiding site author names, picking a good (reputable) host, automating security audits, removing plugin and theme editors and others will help keep your site safe, but do require some knowledge and planning by someone that knows their way around WordPress.

Adding an SSL to your site and hosting is also a good idea not only for encrypting data being shared back and forth with users, but also to the search engines which are starting to use it in their algorithms.

I still feel that having a good backup is THE step you have to take. If you have a restore point on which you can rely, you can move, restore or save your website pretty easily. But if you are starting from a dirty site and have to clean it, be prepared to spend either a lot of time, or a fair amount of money, to have it back up. And frankly, some times it’s even more cost effective to build over than to attempt the save.

Have questions about securing your WordPress site, or considering a new website? Contact BeBizzy Consulting today, and leave the technical stuff to us!

What is WordPress

What is WordPress

wordpress-logoYou need a website, right?

So to get one, you’ll need to do a little research online, find a company or agency that “does” them, pay a designer to create some page templates, pay a programmer to create the pages from the ground up, and wait months and months for all of this to get done… then make changes.

Or… you could use WordPress.

WordPress had its beginnings as an easy way to host a blog and if you knew a few technical things you could create a few pages to flesh out the rest of the site. But now, WordPress is the single largest tool used to create websites on the internet. In fact, around 26% of ALL OF THE SITES ON THE INTERNET are done on WordPress. Narrow that to sites that have content management systems, and that number jumps to nearly 60%.

So what does all of this mean? First the bad. It means that if you can hack WordPress sites you MAY have the ability to hack nearly 26% of the websites in the world. But that’s not entirely true. The vulnerable sites contain outdated code, pirated or compromised plugins, or free themes. They can also have pages that were designed custom and have not been updated or put through any security audits. And finally, they can be hosted on virtually any server that runs PHP and a few other things.

But don’t let lazy security issues keep you away from WordPress. First of all, ANY server or website that doesn’t have security enabled or updates performed at a regular basis is at risk. At BeBizzy Consulting we develop all of our websites using WordPress and use the following options to reduce the risk or compromise:

  • We have a tool called ManageWP installed on our computers, tablets and smartphones that allow us to update ALL of our sites several times per day.
  • The same tool informs us when SPAM comments are made on these sites AND allows us to clear them out with one keystroke as well as keep the sites databases clear of overhead data.
  • Another tool is loaded with all sites to check for malicious code on a regular schedule. If any is found an email is generated to BeBizzy so the files can be removed and/or repaired.
  • Yet another tool runs on every site and performs periodic scans on files AND notifies BeBizzy via email with every successful and unsuccessful login to the dashboard.
  • Themes are purchased through reliable, trusted sources and all photos are purchased through an iStockPhoto account.
  • The hosting account includes daily backups of the sites which are downloaded to local storage twice a month. This ensures that if something does emerge on one of the sites, strategic updates can replace the malicious files.

So as you can see, hosting a site where it can be monitored and updated on a regular basis is a huge benefit when using a powerful tool like WordPress. And speaking of power, check out these other features of the world’s largest CMS:

  • Themes make changing the look of your site as easy as copying some files and activating the new theme.
  • Blog posts and other pages can be created visually in an interface that’s as easy to use as Word or your email program.
  • Integrate your social media accounts into your site without hours and hours of coding.
  • Easily control who has access to what within your site and even within your admin dashboard.
  • Drag and drop your photos or other media onto the Media Library and it gets uploaded and easily shared.
  • Thousands of plugins have been developed to make shopping carts, booking calendars and  sharing available with very little coding.
  • Self-manage your SEO by either installing plugins or controlling your page descriptions, tags and other information right on the page or post.
  • Want visitors to comment on your page or post? It’s built in by default!
  • Easy integration of Google Analytics, Adsense and other tools to make reporting and analysis easier.

Still not sold that WordPress can house your website? Check out this list of world-class sites hosted on the WordPress platform.

So what are you waiting for? Contact BeBizzy Consulting today to talk about how we can bring your website, SEO and other technical visions to life. You know your business, leave the technical stuff to us.