What Website Owners Should Know About Security
This blog is about wordpress security. While wordpress is the world’s most popular software for websites – as open source software it’s prone to hacks and attacks. Sadly, we, as web hosting and development companies spend far too much time worrying and working on being vigilant on behalf of our clients who rely on us. For clients of searchtrafficnow.com – you don’t have to worry – we are watching you site, updating plugins and putting features in place to keep your site secure. This post is designed to educate you a little about website security.
A recent study done by wordfence – a popular and good security platform shows the following.
Most Site Owners Don’t Know
The scary truth is that most website owners don’t know they’ve been hacked. Some sites go for days, months and years being exposes to some really bad stuff. Worse 61.5% didn’t know how the Attacker compromised their website. As you can see the most sites are compromised by plugins. These are software modules that developers use to provide varying enhancements to your site.
For the site owners who did figure out how the attackers entered, here is what the breakdown looks like:
In the balance of this post we’re going to focus primarily on the top two risks. Because if you can protect yourself against plugin vulnerabilities and brute force attacks, you are accounting for over 70% of the problem.
Plugins Are Your Biggest Risk
Plugins are what make wordpress so popular. There are over 43,000 plugins available for download in the official WordPress plugin directory. The average site should have 15-20 plugins so it’s a wonder why there are so many. The point is that it’s nearly impossible to monitor these plugins which, when not built properly or updated provide an easy back door for someone looking to exploit your website.
Wordfence provide some great tips for avoiding plugin hacks:
Keep them updated
Reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping them up to date you insure that you benefit from fixes before attackers can exploit them. We recommend that you check for updates at least weekly. In addition we recommend that you pay attention to the alerts generated by Wordfence scans. Wordfence alerts you when your plugins need to be updated.
Don’t use abandoned plugins
You are relying on the plugin developer to insure that their code is free of vulnerabilities. If they are no longer providing updates there is a high likelihood that there are vulnerabilities that have not been fixed. We recommend avoiding plugins that have not been updated in over 6 months. For plugins you have already installed we recommend you conduct an audit at least quarterly to make sure none of your plugins have been abandoned by their authors.
Only download plugins from reputable sites
If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable. One of the easiest ways for attackers to compromise your website is to trick you into loading malware yourself. An attacker will do this by setting up a website that looks legitimate and getting you to download a compromised or ‘nulled’ plugin.