WordPress powers nearly 40% of the internet. That’s a staggering number and a testament to the ease of use and flexibility of the platform. Unfortunately, that ease of use can lead to errors and oversights that affect not only the individual site but the internet. A few basic WordPress security best practices can go a long way to keeping your site safe.
If your site is hacked the danger to your business and customers is apparent. Loss of revenue, release of customer PII (personally identifiable information), loss of data, exploitation of resources, compromised intellectual property, ransomware, etc. It can take days, weeks or months and substantial money to recover from a hack.
Beyond your business impact hackers can use your compromised systems to launch other attacks, host malware and other unsavory activities. Your hacked site allows the bad guys to go out and do more bad stuff.
The most prevalent threat found on compromised sites is an SEO spam infection. SEO spam is sneaky and hard to detect but profitable for hackers at your expense. Basically, spamdexing uses your site to increase the traffic for a different site, typically selling questionable products like prescription drugs. Spammers will insert links on your high-ranking pages or just redirect the page to the other site altogether. The worst part? If Google detects these techniques, your site is the one that pays the price by getting banned from any search results. Want to learn more about SEO Spam? Check out this site for a detailed write along with directions to help clean an infection.
There are relatively simple steps to protect your site. According to Sucuri’s 2019 Hacked Website Report over 56% of CMS application were out-of-date at the time the site was infected. The WordPress Security Team, a group of 50 security experts, is hard at work constantly updating the core application to combat the ever-evolving threats. While many updates contain general features, it’s the security patches that are critical. Simply updating the core WordPress version to the latest goes a long way to keeping your site secure.
A common secondary issue is the use of unpatched plugins. The plugin ecosystem for WordPress is impressive but it’s important to recognize that not every plugin is well developed and well supported. Vulnerabilities in plugins account for 56% of known entry points in a survey by WordFence.
While its tempting to use a free plugin, and there are many good ones, plugins with paid licenses or support are more often kept up to date by the developer. You should carefully consider each plugin added to your site and make sure to keep them updated. If the developer stops supporting the plugin, switch to a new choice that is patched regularly.
Another foundational issue is the software version used in your hosting environment. PHP is the core technology used on WordPress sites and the current version is 8.0 with versions older than 7.3 no longer receiving security updates (as of Dec 6, 2021). Despite the increasing number of discovered PHP vulnerabilities only 1% of sites that run PHP are on version 8.0. Make sure that you’re using a fully supported and patched version of PHP, or you leave your site vulnerable to known exploits.
Bottom line, WordPress is not build it and forget (no site is). Constant maintenance and patching are needed to protect your business. All Blue Ace Technology managed sites are patched and supported monthly with known vulnerabilities patched asap.