When I was a teenager I always had problems wrapping my head around my friends getting drunk at parties and doing stupid things like unprotected sex (proven by unintended pregnancy later). Also, when I would get myself summer jobs I saw other workers breaking new and fancy building tools just because they did not bother to read the manuals or assumed they would figure out the machines by themselves. On a different occasion, I saw a lady on an internet forum not knowing what kind of fuel her car runs on. Someone asked her about the color, and when she answered ”green”, the guy reassured her that her car definitely runs on gasoline: ”Green and yellow ones always use gasoline, while blue and red ones run on oil”. I would be happily looking down on all of those people if I hadn’t broken a couple of things and relationships by behaviour caused by the same kind of reason – ignorance.
Here comes the boom
Imagine somebody building their business on a WordPress e-commerce site, finding customers, paying for the SEO, adding a multitude of products to the database and not making sure that their website is secure. Then some nasty bot breaches the site’s default authorization process (the password was not complicated enough) and plants some malicious code all over the place: not just in the template files (which can be changed) but in the database itself (which cannot). Our buddy runs to a web development company that built the theme for him few years back and asks what to do. A developer logs in and to his dismay realizes that no backup plugin has been installed. The client contacts the hosting company and asks whether, by any chance, the host was providing a backup of their own. The answer is ”yes” and our businessman is no longer so tense. He passes the files to the developer but it turns out the backed up files contain the infection too. A phone call to the hosting company clears things up: by default the server does not archive backups but every month replaces the last months’ one with a newer version. The only backup files that exist are corrupted too.
Unimaginable? I heard people cry, so believe me – it does happen. Well, if our businessman is a real ”gangsta”, he can rent a black van, park it in front of a web development company and abduct a developer refusing to release him unless every row and field in the database is checked. If the developer succeeds (he will need food for a few weeks, months or years) our imaginary businessman is back on track. But why not make it simple and apply the appropriate measures beforehand?
6 steps to safer WordPress
1. Keep the passwords strong
Every user created in your WordPress admin area should have a good username and a strong password. ”Admin” won’t do, neither will ”12345” nor ”password”. Remember to make it long, use symbols, numbers, small and capital letters. You can always use an online password generator if you want. Keep only as many registered users as you need.
2. Add extra security measures
Many WordPress sites are hacked by bots trying to sign in using one login and password set after another. What you can do is disabling signing in after several failed attempts. The bot will try a few times and will have to move on to another less happy site. Another measure you can take to defend your site from that kind of a breach is using two-factor authentication or captcha on the login page.
But even before someone/something tries to sign in to your dashboard, they will have to go to ”/wp-admin”, or ”/wp-login”, so why not change those URLs to something different. This way wp-admin and wp-login will not even be available.
3. Back up
There are a few really good backup plugins that will make sure your WordPress files and database are safely stored somewhere outside your server. If anything goes awry, your website’s files can be brought back quickly. If you choose a good plugin you will be able to set it to backup automatically on a given interval (daily, every 3 days, weekly…). The good ones might be VaultPress or BackupBuddy but you can search on your own for the perfect backup extension for you.
4. Keep your WordPress updated
Always try to use the most recent versions of WordPress and the plugins you have. WordPress and most of the extensions are changed and developed on a daily basis, so keep an eye for upgrades. They work in an ever-changing world of the Internet and web technologies which can pose security threats that are being addressed in new WordPress and plugin releases. If you do not use some of your installed plugins or themes, simply delete them. Your site is not like your grandpa’s attic where unused things are stored. WordPress and plugins can have security holes and if a malevolent person or bot finds them, they will be exploited.
The only problem with updates might be that some plugins may change their file structures from one version to another and they will not work the way they did before. For instance you might use a plugin whose default styles you don’t like. If you asked your developer to adjust the plugin’s look to the overall feel of the site and the plugin changes its HTML after the update, the custom styles might not work correctly. That is why keeping WordPress up-to-date might be cumbersome at times, but it’s worth it. If you cannot update immediately because you do not want to hire devs too often, set up a schedule of updates and make them every month or so.
5. Choose a good hosting company for your website
Make sure your host uses malware scan, has firewalls set and backs up your files regularly (for starters). A large number of WordPress hacks is connected to hosting rather than to weak passwords or outdated plugins. It might be a good idea to contact your hosting company and ask about the security measures they use and what they do specifically to secure WordPress sites hosted on their platform. If they are not good enough, migrate your website to another host.
6. Contact your developers and ask them to check your WordPress security
The developers will make sure everything is configured right and works correctly. I do not want to get too technical here, so I’ll just mention that devs can do other things too, like making sure wp-config.php and wp-login.php are secure, files and folders permissions are right, php error reporting is not visible to hackers…
Working with our clients is great, some of the designs we transform into websites make me feel more alive, connecting with people is a pleasure, but… Revisiting some of their websites to do housekeeping and realizing that no security measures have been applied keeps me wondering sometimes how it is possible that those domains preserved their not-hacked-yet virginity. To keep what we build with passion in good condition, let’s get hack-proof!