As a software developer, I’ve used many tools to build both professional and personal websites and applications. One of the most often mentioned CMS tools I discuss with custom project stakeholders is WordPress, and for good reason: WordPress runs 28.9% of the entire internet, including large sites such as sites for the New York Post, CNN, Spotify, TechCrunch and NBC.
Businesses and organizations both large and small look to WordPress because of its powerful features, its ability to facilitate many users and authors and its ability to be customized using pre-existing and self-developed plugins and themes. These pre-developed themes and plugins are extremely helpful because of their ability to save time and effort, allowing the focus of the site to be on content rather than code.
I’m sensing a but…
All of the time and effort saved using these pre-built tools is extremely valuable, but I often encourage stakeholders to consider that WordPress and its tools are essentially code written by other people that have their own lifecycle, development teams and update schedules, and while they can save time up front, without proper upkeep, it is possible for them to be exploited by those who seek to use someone else’s site for their own ends.
Why would you do that?
Unfortunately, there are people on the internet that are not out to make the world a better place. Sad and shocking, I know, but there it is. These people have many reasons for what they do, including making money using crypto mining, stealing financial information, political reasons, seeking to find and leak secure information, ransom or even unethical business reasons. Each of these behaviors is increasing in its scale and complexity, and hackers are continually evolving their methods to find different ways to exploit new and existing infrastructures. To combat this, site owners must remain vigilant in keeping security and maintenance at the forefront of their best practices and must do their best to keep their sites up to date.
Great, the internet is scary, now what?
So, yes, there are bad people on the internet, but the good news is that with a little thought and effort, there are many things you can do to protect yourself and keep your site from being an easy target.
- Stay up to date. By having a regular and routine update schedule, you can minimize the amount of time that your WordPess installation, themes and plugins are out of date. When vulnerabilities are found in plugins, themes and even WordPress itself, its developers will release a new version of their tool with updates to close that exploit. Until that update is performed on your site, their is a chance that someone will identify your site as open to attack and exploit it. If you do not have the time or expertise to regularly check and maintain plugins, themes and the WordPress core, you should find a partner who will perform these tasks for you regularly.
- Only use software you trust. As far as trusted locations go, the official plugin and theme repositories are the only places that you should be downloading free themes or plugins. If you are buying premium plugins and themes, ensure that they come with a GPL License and have recommendations from other developers or influential members of the WordPress community.
- Use good passwords and data best practices. Strong passwords, or better yet, passphrases are a must. Passphrases are quickly becoming a more accepted way of securing user accounts over passwords because of their length and ease of use. When using a password, it is recommended to use a strong password generator. When using a passphrase, choose phrases that are long enough to be hard to guess, not a famous phrase or one that others associate with you, and easy to remember. Never use passwords or passphrases between sites or applications.
- Always use SSL. SSL is the standard security technology for creating an encrypted link between web server and web browser and should be used on all traffic for your site. You can see that an SSL connection is present when the URL has the HTTPS instead of the HTTP prefix in the address bar and browsers like Google Chrome, Firefox, IE and others will display a green “lock” icon in the address bar. There is a common misconception that only sites that handle sensitive or ecommerce transactions need to use HTTPS. While it is true that you should absolutely use HTTPS for those things, every unprotected HTTP request could potentially reveal data about the data and behavior of your users. As a bonus, the Google search engine actually scores sites higher for using HTTPS, and services like Let's Encrypt now provide these services for free.
- Monitor your site and the WordPress ecosystem. No matter how protected your site is today, new exploits and vulnerabilities will always be found in the future. Monitoring your own site is something that is critical so you'll know if you have been attacked and can mitigate the damage ASAP, but the WordPress ecosystem is also something that you should also keep the pulse of so you're aware as soon as possible if an exploit has been discovered for WordPress, or in any plugins or themes you are using. The best way to do this is to follow security professionals in the industry who specialize this and to have a solid understanding of what you are using on your site. This is one of the things that is difficult to do for those who have a hard enough time just updating the content on their site, so if you fit into this category, it is important to find a good partner (like Firespring, wink, wink) who can do this on your behalf.
That’s it. The internet is done!
Unfortunately, web technology, sites and the internet are constantly evolving. Your site will never be “done” and you should refrain from thinking this way. The bad guys are plentiful and they have way more time on their hands than you do, so be vigilant, my friends, and if you can’t, find a software partner who can!