Welcome to 2018, the year where WordPress powers more than a third of all websites on the Internet.
For a lot us involved with the WordPress community, this was a fantastic piece of news. But for those concerned with WordPress security, it’s more of a nightmare.
WordPress as a CMS always had a bad rep for being an unauthenticated remote shell that, as a useful side feature, also contains a blog. And despite the best effort by the WordPress community, this is truer now more than ever.
The democratization of publishing has a nasty side effect: pretty much anyone can start a WordPress blog. As the entry bar gets lower, more and more websites fall prey to malicious attacks, simply because the blog owners are out of their depth when it comes to protecting their blog. And being the biggest CMS on the market, WordPress has a huge target painted on its back. One of the security reports stated that 78% of successful attacks were against WordPress websites. Another stated that 76% of WordPress users don’t use a backup plugin at all.
The blame, or at least most of the blame, lies with the throng of security articles on the web. Really good, in-depth articles are few and hard to find, because we’re bombarded with the “10 Easy Ways to Make Your Site Secure” fluff that’s about as useful as an anthropology degree in a firefight.
OK, there are exceptions
Sure, it’s great to keep everything up to date. It’s also great to use something other than admin for your username. But that’s not WordPress security, that’s common sense.
The Harsh Truth About WordPress Security
I’m going to let you in on a little secret. Are you ready?
There is no such thing as a perfectly secure website. Your website will get hacked. It’s not a matter of if, but when.
You can be the biggest WordPress security expert in the world, it won’t matter one bit if your hosting company gets compromised. Hosting your own websites? Good luck with the Heartbleed bug, that affected the whole Internet for THREE YEARS before someone noticed it.
So, if you can’t be 100% safe, what can you do?
Be Responsible About WordPress Security
The fight is won or lost far away from witnesses—behind the lines, in the gym and out there on the road, long before I dance under those lights
-Muhammad Ali
The Greatest told it like it is: You don’t start thinking about security when you’ve been hacked. By then it’s too late. You think about it before you start your website. You vet the plugin and theme authors. You keep an eye on your websites. If you’re out of your depth, you hire an expert. Being prepared makes all the difference in the world.
How ManageWP Helps You Be Secure
Don’t for one second start thinking that either ManageWP or any other service will somehow make you magically prepared. We will help you, take most of the load off your shoulders and provide the tools you need, but at the end of the day you, and only you are responsible for the wellbeing of your website. And if your attitude is meh, whatever, I don’t have time for this, you’re setting yourself up for failure.
Always Have a Backup Ready
I mentioned earlier in the article that 76% of WordPress users don’t use backups. That same survey found out that over 67% of WordPress users would pay $100+ to get their website back online. This is the kind of insane shortsightedness we need fight on every turn. You’ll never see an ice hockey goalie forget his helmet because there’s only 2% chance of a puck hitting him in the face.
Even the biggest badasses like being alive
It’s also the reason why ManageWP backup exists. Handling backups for 10 websites is a pain, so we built a backup that’s easily controlled from one dashboard, no matter how many websites you have. And for ManageWP Orion, we focused on the other pain backups cause: reliability. We built a robust, incremental backup that uses very little website server resources, and stores it to a secure off-site location. We also introduced more backup cycles, so your website could have a restore point every hour (that’s 168 restore points each week!)
Be Vigilant
Some attacks are easy to notice: your website goes down, or it’s defaced. The ones you don’t know about are much more dangerous: someone could inject malicious code into your website and abuse it for weeks, without you even noticing it. By that time your SEO score is crap, you’ve been blacklisted, and the damage has been done. You have to stay on top of things, but you don’t want to waste your whole day on routine checks. That’s where we come in.
Uptime Monitor is great for detecting when your website goes down or is defaced. You’ll immediately get an email and/or an SMS with more details, and you’ll be able to spring into action before anyone else notices.
Security Check inspects your website for known vulnerabilities, malware, checks the blacklist status, and a number of other things. In the near future we also plan to automate the checks, so you can let the system run daily checks and notify you if it notices something’s wrong.
Performance Check is perfect for the sneakiest of the sneakiest attacks. Sometimes the Security Check will not detect the intrusion because it’s a new type of malware that’s not in the vulnerability database, or maybe it’s not malware at all. Your website server resources are still being misused, and it’s slowing your website down. That’s why we came up with the Performance Check: it grades your website performance and stores the result. Each time you run a new Check, you can compare it to the previous grades and notice when it drops. Now you know something’s wrong, and you’ll be able to fix it before there’s any permanent damage. Performance Check is also planned for an upgrade that will give you the option of automating checks and pushing a notification if the performance drops significantly.
Key Takeaways
- There’s no easy fix for WordPress security. You need to act responsibly
- Check your website security regularly
- Always have a fresh backup ready in case of emergency
