Is WordPress Safe?

Is WordPress Safe?

It’s a widely sites fact that WordPress powers 25% of the internet’s webpages. Think about that, 25%! And nearly 60% of the sites that use a CMS (content management system).

That is the main reason it is also a target. Like the popular Microsoft Windows or Android OS, WordPress powers so many sites that if you can find a way to compromise even a small percentage of websites using the system, you can gain access to literally millions of sites.

Because of this, one of the first questions I get when I suggest using WordPress is about security. But as I stated before, criminals and people looking to do general mischief as looking for the low-hanging fruit, the easy to hit sites. So with some basic precautions, your website can be even more secure than custom HTML sites.

Making WordPress Safe

There are a few basic steps that  web developer or your company IT guy can take to secure your new or existing WordPress site. Below is a list of plugins, best practices and other items used by BeBizzy Consulting and many others to make your site as secure as possible.

Backups

Let’s start off with the most important part of the security system. If you don’t have a good backup of the site, it doesn’t matter how you set the rest up. Something WILL cause your website to fail; the webhost could suffer an attack or hardware failure, you could alter some code and break the site, or a security breach could happen directly to your site. With no backup, there’s no easy way to return to “normal,” so at minimal do a complete backup of the site files, and don’t forget to back up the database. There are automated methods as well for this process which are highly recommended.

WordPress Updates

The easiest way to gain access to a WordPress is through an out-of-date WordPress system. I’ve recovered sites running on 2.x (current is 4.7), and that’s a scary endeavor. WordPress puts out major releases a couple of times per year, and security patches about once a month or so to stay ahead of the pinholes that are found in WordPress. The best part is there are thousands of people who are looking at WordPress, for good and for bad, that identify issues and get them repaired. Keep you site updated and make sure PHP version can handle the update. If not, time to move!

I also suggest turning on automatic core updates. You should be able to toggle a switch that will update WordPress automatically for “X.x.x” updates, keeping your site secure without you even trying. Just make sure you test the site when notified of an update to make sure everything is running as it should.

Plugin Updates

The next best way to gain access to WordPress is through outdated, or poorly programmed plugins. Last summer I worked on recovering a WP site that had a plugin that had not been touched by the developer in over five years. When I updated the site to a new WP version, the plugin crashed and I had to find an alternative, more updated plugin that worked close to the same. But it’s not just keep the plugins updated, it’s keeping an eye open for poorly secured plugins as well. Do some research on a plugin before installing. Has anyone ever suffered a breach or WordPress crash after installing? What is the support like? How often do they update?

One thing that is often overlooked is deleting themes that are not being used, or are even active on the site. This is extra code that has been abandoned for one reason or another, and leaving it on your website can open a hole you don’t even know is there.

A final note on plugins, themes and other items is to NOT use pirated versions of software. Most plugins are fairly inexpensive and the alternative to paying $10 for a plugin is often spending hours, or even paying hundreds of dollars to have malicious code removed from a site. Pay the $10.

Themes

Next on the list of vulnerabilities is your theme. Every WordPress site is working on a theme, whether it’s the 2016 theme that came installed or one you paid for or got for free. Again, do a little research to make sure the theme you are planning to use isn’t a know security issue, does not get updated or supported, or is poorly written before you install it on your site. Then, update it as soon as you get a notification it has been revised.

More Security Steps

Below are a few other steps that are taken by BeBizzy Consulting, and should be considered by your team, host, or developer to make your site as secure as possible.

Change Username

Like on a computer or virtually every other system, do not use “Admin” as your administrator username. Pick something a bit more robust and always use a secure password. Changing the password often also makes it more difficult to keep access once it is achieved.

Move The WP-Login.php Page

There are several plugins that allow you to choose a different admin login page for your site. Install one of them and rename your login to something less known can eliminate some from even trying to access your admin simply because it doesn’t exist at the usual spot.

Install a Security Plugin

Many sites have Sucuri or Wordfence installed to protect the admin and other parts of the site. Even the free versions will notify you when the admin is accessed, limit login attempts at wp-login.php and the premium versions can lock down the admin to specific locations or IP address, security scans for malicious code, and much more.

Keep Your Site Safe

There are definitely more ways to secure your WordPress site. Editing the .htaccess file, hiding WordPress from source viewers, hiding site author names, picking a good (reputable) host, automating security audits, removing plugin and theme editors and others will help keep your site safe, but do require some knowledge and planning by someone that knows their way around WordPress.

Adding an SSL to your site and hosting is also a good idea not only for encrypting data being shared back and forth with users, but also to the search engines which are starting to use it in their algorithms.

I still feel that having a good backup is THE step you have to take. If you have a restore point on which you can rely, you can move, restore or save your website pretty easily. But if you are starting from a dirty site and have to clean it, be prepared to spend either a lot of time, or a fair amount of money, to have it back up. And frankly, some times it’s even more cost effective to build over than to attempt the save.

Have questions about securing your WordPress site, or considering a new website? Contact BeBizzy Consulting today, and leave the technical stuff to us!

BBP: Episode 22 – I (almost) Got My Gacillia Nuts Scammed

BBP: Episode 22 – I (almost) Got My Gacillia Nuts Scammed

More information on this scam on another episode of the BeBizzy Break Podcast!

Oh sure, first another blizzard, and now I almost get sucked into a nut website scam?

Set BS detectors to stun!

EP22 – The Gacillia Nut Website Scam

I almost got taken by a scammer this week. I was approached, through text (?) by a gentleman who wanted a website built for his company based in Washington DC. I do some work with a company out of Boston, and also have had past clients out east, so this wasn’t totally out of left field. But something just didnt sound right. Below is the text sent to me…

“I have small scale business which i want to turn into large scale business now it located in and the company is based on importing and exporting of Agriculture products such as Kola Nut, Gacillia Nut and Cocoa so i need a best of the best layout design for it. Can you handle that for me ?. so i need you to check out this site but i need something more perfect than this if its possible .http://www.agroamerica.com.… the site would only be informational, so i need you to give me an estimate based on the site i gave you to check out, the estimate should include hosting and i want the same page as the site i gave you to check out and i have a private project consultant, he has the text content and the logos for the site.”

James claimed to be hearing impared, so no phone conversation could be used. Now I know why. An internet search for Gacilla Nut revealed this scam IMMEDIATELY, right down to the exact copy of the contact email/text. Apparantly the next step will be to say the credit card won’t go through, and to provide him with a checking account number so he can transfer money. I think we all know what happens next.

So, I’ve deleted the invoice, and will kill the contract with James. If anything else happens, I’ll report back to you here.

UPDATE : I received the “can you do me a favor” email last night. See below:

“The favor is that I will send you my credit card to charge for the sum of $5,700.00 plus 3% Cc company charges, You will deduct $2,000.00 as deposit for the design of the website plus extra $200.00 as a tip for handling perfect work for me and you will send the remaining $3,500.00 to the project consultant that has the text content and the logo for my website so once he receive the $3,500.00 and you will have the money cash deposit to their account…. He would send the text content and logo needed for my website to you so work can start asap, Sending of funds would be after money clears into your account and you will be charging my card for remaining balance upon completion of work, Kindly get back to me so we can proceed with payment asap”

So the scam is apparently to get paid a large sum, pay his contracted graphic design guy most of it, then I’m guessing a chargeback for the initial payment to me, leaving me out the $3500 to his “project consultant.” Brilliant.

I reported this to the North Dakota Attorney General’s office and was basically told to cut off contact with “James.” Since it’s most likely international and been going on for several years, the likelihood of stopping this from happening again is slim. There is a website run by the federal government to report items like this, so I was given IC3.GOV to file a report.

UPDATE 7/2/2019 – I got a NEW variant of this scam.

Hello Sir/Madam ,

This David Serrano from Kirkland Shipping,We looking for laptop computers to purchase for our new business branch and want to know if you have them available in stock or can either custom order them for us.We also do have specifications we would like the computers to come with and also if you can tell us how much a laptop with these specifications is going to cost for plus tax…Here are the specifications below

    • An i7 Core Processor
    • 16gb of Memory
    • 1tb of Hard drive or 512 SSD
    • Screen Size can either be 13′ , 14′ or 15.6′
    • Must come with a Touch Screen and a backlit Keyboard
    • Either a windows 10 Home premium or Professional
    • Brands can either be Dell ,Apple,Hp or Lenovo

NB : Also advise me if you do take credit card payment , Thank You

In other news:

  • Fitbit bought Pebble watches. I’ve also heard that Pebble is now dead… I hope this isn’t true. My first smartwatch was a Pebble and I loved it.
  • I updated three sites to WordPress 4.7, which came out yesterday, with no issues. Hopefully this trend continues!

Don’t forget to send us any suggestions for apps to review or people to interview. And subscribe to the BeBizzy Break Podcast on iTunes and Stitcher Radio

And as always, leave the technical stuff to us!

Mobile Friendly Sites SEO Rank Increased

Mobile Friendly Sites SEO Rank Increased

SEO_DiceGoogle recently announced that in May 2016 mobile friendly sites will get a bit of a boost in SEO rankings. This could turn into a long-winded explanation on how to increase your site’s SEO or make the site mobile friendly, but really it comes down to this.

Mobile use of search and the rest of the web is on the increase. ComSCORE has stated that internet users on desktop was equaled and then passed by mobile users in 2014. So it makes sense that search giant Google would start to take mobile-ready sites into account on search engine results, especially to mobile users.

Checking your basic mobile readiness is simple. Go to this website (http://ow.ly/ZFyRr ) and enter your URL. If you’re ready, you should see a message telling you the good news. You will even see a screenshot of how the site is viewed on mobile. If not, you should get some tips on what needs to be changed.

Some of these fixes are pretty easy like text sizes and spacing and images. But, if you use Flash, a layout that does not conform to mobile viewing, non-breakable tables, or custom programming that is not viewable on phones or tablets the change becomes more difficult, and frankly, costly.

Do your potential or current customers need to view your website on mobile? Now is the time to plan on making the migration to a responsive design to ensure your website works on all devices. Protect your earned search engine ranking, or possibly move up by getting your site mobile ready! Contact BeBizzy Consulting today to see how you can make sure you’re ready for the mobile web.

Then, leave the technical stuff to us.

 

What is WordPress

What is WordPress

wordpress-logoYou need a website, right?

So to get one, you’ll need to do a little research online, find a company or agency that “does” them, pay a designer to create some page templates, pay a programmer to create the pages from the ground up, and wait months and months for all of this to get done… then make changes.

Or… you could use WordPress.

WordPress had its beginnings as an easy way to host a blog and if you knew a few technical things you could create a few pages to flesh out the rest of the site. But now, WordPress is the single largest tool used to create websites on the internet. In fact, around 26% of ALL OF THE SITES ON THE INTERNET are done on WordPress. Narrow that to sites that have content management systems, and that number jumps to nearly 60%.

So what does all of this mean? First the bad. It means that if you can hack WordPress sites you MAY have the ability to hack nearly 26% of the websites in the world. But that’s not entirely true. The vulnerable sites contain outdated code, pirated or compromised plugins, or free themes. They can also have pages that were designed custom and have not been updated or put through any security audits. And finally, they can be hosted on virtually any server that runs PHP and a few other things.

But don’t let lazy security issues keep you away from WordPress. First of all, ANY server or website that doesn’t have security enabled or updates performed at a regular basis is at risk. At BeBizzy Consulting we develop all of our websites using WordPress and use the following options to reduce the risk or compromise:

  • We have a tool called ManageWP installed on our computers, tablets and smartphones that allow us to update ALL of our sites several times per day.
  • The same tool informs us when SPAM comments are made on these sites AND allows us to clear them out with one keystroke as well as keep the sites databases clear of overhead data.
  • Another tool is loaded with all sites to check for malicious code on a regular schedule. If any is found an email is generated to BeBizzy so the files can be removed and/or repaired.
  • Yet another tool runs on every site and performs periodic scans on files AND notifies BeBizzy via email with every successful and unsuccessful login to the dashboard.
  • Themes are purchased through reliable, trusted sources and all photos are purchased through an iStockPhoto account.
  • The hosting account includes daily backups of the sites which are downloaded to local storage twice a month. This ensures that if something does emerge on one of the sites, strategic updates can replace the malicious files.

So as you can see, hosting a site where it can be monitored and updated on a regular basis is a huge benefit when using a powerful tool like WordPress. And speaking of power, check out these other features of the world’s largest CMS:

  • Themes make changing the look of your site as easy as copying some files and activating the new theme.
  • Blog posts and other pages can be created visually in an interface that’s as easy to use as Word or your email program.
  • Integrate your social media accounts into your site without hours and hours of coding.
  • Easily control who has access to what within your site and even within your admin dashboard.
  • Drag and drop your photos or other media onto the Media Library and it gets uploaded and easily shared.
  • Thousands of plugins have been developed to make shopping carts, booking calendars and  sharing available with very little coding.
  • Self-manage your SEO by either installing plugins or controlling your page descriptions, tags and other information right on the page or post.
  • Want visitors to comment on your page or post? It’s built in by default!
  • Easy integration of Google Analytics, Adsense and other tools to make reporting and analysis easier.

Still not sold that WordPress can house your website? Check out this list of world-class sites hosted on the WordPress platform.

So what are you waiting for? Contact BeBizzy Consulting today to talk about how we can bring your website, SEO and other technical visions to life. You know your business, leave the technical stuff to us.