The importance of WordPress security
You may have read in the news recently the government is investing almost £2 billion into fighting cyber-crime due to a surge in fraud, website hacking and other online crimes. It has been reported that up to 30,000 websites are hacked per day worldwide. With cyber-crime on the rise it is more important than ever to make sure your website, data and customers are protected from hackers.
You service your car and update your phone; your website requires attention too.
AsOne recommend regular maintenance to protect your digital business.
Why target WordPress?
With WordPress being the most popular Content Management System and powering over 25% of all websites it is a natural target for hackers due to its sheer popularity.
The core WordPress system is, in fact, a very secure platform and there are a number of “white hat” developers constantly looking for vulnerabilities in the system so they can be patched up. If a security loophole is discovered it is passed to the WordPress development team and will be fixed in a WordPress version release. This makes it vital to keep your WordPress platform up to date to ensure the latest security patches have been applied.
On occasion there can also be vulnerabilities in a WordPress theme or plugin that can allow hackers backdoor access into your website. Again these vulnerabilities will be patched in future version releases and should be kept up to date.
How do hackers gain access to my site?
There are various ways a hacker could try to gain access to your website such as a brute force attack where the hacker or a bot will attempt to guess your username and password thousands and thousands of times. Since around November 2016 there has been a spike in these types of attacks mainly from Russian/Ukraine IP addresses.
A brute force attack is an unsophisticated method of guessing your credentials up to millions of times a day, this can not only affect your website security but performance as every time a login is attempted it takes up resources to process the attempt.
If your WordPress site, themes or plugins are out of date they may contain vulnerabilities that allow hackers into your site.
What happens if my website is hacked?
Once a hacker has access to your site there are a number of nasty things they can do including:
- Upload hundreds of malicious files to send out spam emails.
- Gain access to your website data including mailing lists, payment details and more. They can choose to steal, edit or delete this data at will.
- Add posts/pages onto your site that contain spam links, malicious code or redirects your users to another website.
- Use your site as a platform to infect your visitor’s machines with malware, key trackers, ransomware, viruses or other malicious software in order to capture information they can use for their own gain
- Add themselves as a WordPress user with full access and lock every other account out
If a search engine such as Google or Bing detects that your site contains malicious code, it may blacklist it and your site will contain the following warning to visitors:
How increasing your WordPress security can prevent this
While this will massively put users off visiting your site it can also affect your search engine rankings if the problem is not addressed quickly.
What can I do to prevent against attacks?
Common usernames and weak passwords make life easy for hackers attempting to guess your details. You should never use an obvious username such as “admin” or “user” as this will hugely increase your chances of being hacked as these are common usernames that hackers will look for. Furthermore, it goes without saying that using a weak password such as “Password” or “password123” will make it very easy for your website to be hacked.
What can AsOne offer to help protect my WordPress site
As part of our standard hosting package we take daily backups of your website and database for the last 10 days. We also install Wordfence the leading WordPress security plugin when each site is launched, however without keeping this and your other WordPress plugins and themes updated your site will not be fully protected.
We offer the following solutions for protecting and improving your WordPress security:
1. WordPress Lockdown (One off payment of £190 + VAT)
- Updating your WordPress platform including the WordPress core, themes and plugins* to the latest available versions.
- Change the default login path to a secure alternative.
- Check for security vulnerabilities such as a username of “admin” or “user”.
- Harden the standard Wordfence lockout protocols to ensure we make it as hard as possible for hackers to get into your site and lock them out of attempting to regain access to your site.
- Lockdown FTP Access.
- Disable some predefined WordPress options that can make it easier for a hacker to gain access to access your site
While this package will make your website more difficult to attack and will protect against the majority of vulnerabilities it is not a guarantee that your site will not be compromised in future.
2. WordPress Servicing & Protection Warranty (£50/monthly+ VAT)
All of our Innovation Club® members receive this WordPress Security protection as part of their membership.
- Everything included in the WordPress Lockdown package
- WordPress core, themes and select plugins updated monthly.
- Free Priority clean, repair and restore if your website is attacked. (usual cost over £600+VAT)
- Full protection against the latest vulnerabilities
- Lockout IP addresses known to be used by hackers.
- Alerts are sent to our developer team if a user is locked out of your site because they have attempted to login too many times, used an incorrect username or any other suspicious activity. We can then lockout this IP from trying to access your site again if necessary.
- Automatic Wordfence updates
- Real-Time threat defence
- Country Blocking
- Deeper file/database scanning
- Audit Existing Passwords
- Daily scans of your website to check for malware
3. Wait and See
Hoping for the best can have a disastrous effect on your website and any business that relies on your internet presence. If you choose to wait and see if your site gets compromised, you run the risk of incurring website down time.
If a hack is detected your host may disable your site and will not enable it until the infection is cleared. This is done to protect other sites on the same server. Not only is your website not available but your search engine rank can drop quickly too.
Cleaning up an infected website starts from £600+VAT and the final cost depends on the type of hack that has occurred. If you fail to protect your site thereafter you are open to yet another compromise and yet another fee to fix your site.
For less than the cost of fixing your compromised site you can be protected for a whole year with AsOne’s WordPress Servicing & Protection Warranty.
We stress that WordPress security should be taken seriously. If your site is hacked, it will not only have a negative effect on your website itself but the trust with your audience will deteriorate and your search engine rankings may be affected.