WordPress now powers over 25% of the web. That is a huge amount of websites running WordPress. Back when WordPress was the new kid on the block, you didn’t have much to worry about. These days, WordPress websites are at a high risk of being hacked. Just how I used to use the argument that the Mac is safer than Windows, all good things come to an end.
WordPress itself is still very safe if kept updated with the latest software updates. The problem is that there are thousands of plugins and themes that can be loaded into WordPress. These plugins and themes are often very safe, however when they are not kept up to date, they become insecure and susceptible to attack. This is a major problem that people are having with their WordPress websites.
Hackers are getting smart. They are able to hide malicious code in a website so that the naked eye can’t even see it. We have been contacted by people who’s website appeared normal when they viewed it in the browser but when someone clicked on a link to their website from a Google Search, it directed them to a fake website used to trick people into entering their credit card information. One site was like this for months before they noticed and contacted us. There is a lot at risk when you let your website get outdated. Here a recent issue with a site we encountered.
One of our clients came to us with their website which appeared to be selling a popular male enhancement pharmaceutical but they could not find anywhere on the website where such information was being displayed. If they went to Google and did a Google search for their company, there were multiple listings that displayed this malicious information and if you clicked on the links, it took you to the malicious website instead of their website. In this instance, Google didn’t even notice the problem and the website was not marked as a potential spam site. Thankfully the hack was not deeply rooted in WordPress and did not touch the database. We were able to update some files and remove malicious code from a few others which rid the site of the malicious sales pitch.
This is a common hack these days because it is just invisible enough that most site owners will not notice. Most people do not Google search their own business very often so they won’t see this issue coming up. Most people do not realize that their WordPress website is software in a very similar way that their computer’s operating system is software. I would go as far as saying that it is more important to keep your website software up to date than it is to keep your computer up to date. If a computer becomes infected, it can’t do a lot of damage unless it is connected to the internet. Websites reside on a server that is ever connected to the internet, so they need to be kept up-to-date to prevent an attack. Servers also need to be kept up-to-date, but that is a topic for an entirely different conversation.
What are Managed WordPress Services?
These days there are a couple of different ways to keep your website safe. Because WordPress has become so popular, there are companies who’s core business is just to host and manage WordPress websites. This is great for the person who either built their website themselves or is working with a website designer who does not have or desire to have the skills to keep a WordPress website safe. There is a service called WPEngine, who has built a platform that WordPress runs in and around. This platform helps keep plugins and themes with potential issues from getting hacked by not making them usable at all. There are pros and cons to this approach.
Some web services companies, such as Hill Media Group, have a lot of experience in web security and are able to keep WordPress websites running safely. It takes having a plan in place and the knowledge of what to do. Having a plan in place can not guarantee a website will not have a problem, but it will set it up as best as possible to prevent it. Even with up-to-date servers, WordPress, and plugin software, there is still a chance. A website is only as safe as its weakest password.
Companies like ours have packages available that include hosting, software updates, and regular scans for potential holes that could lead to the website being hacked. These packages are rather inexpensive compared to what you would have to pay to have your website fixed after it was hacked. It is similar to why we buy insurance (at least the insurance we have a choice to purchase).
What about WordPress Security Plugins?
A WordPress Security Plugin is only as secure as the environment it is installed in. Even the security plugins become a threat to security if they are not kept updated. It’s like having security scanning software on your computer that is never updated. Many people feel that they are safe because they have security software installed, this simply is not the case. It must be configured correctly, WordPress and plugins must be up-to-date, and the server the website is on needs to be current as well. There are a lot of moving parts with a WordPress website.
Are Managed WordPress Services right for you?
When I talk about Managed WordPress Services most people explain to me that they don’t need something like that because they are a small business and they don’t imagine why someone would target them. The issue is that hackers rarely target someone specifically. They have bots that are crawling the internet looking for holes in websites that they can take advantage of. An outdated website is all that they are looking for and they don’t really care about anything else. Their goal is to get malicious code into as many websites as possible so they can drive traffic to a fake website for purposes of collecting customer data. It’s rarely for any other reason than that.
We have clients who have declined such services and had issues with their websites. Even on the best-prepared servers, a website is only as safe as the software that runs it. A weak server makes it even easier for an attack.
Once your website has been breached, the bot has made a note and will check back to make sure the malicious code is still in place. Simply removing the malicious code will just leave a place for it to be reinserted. One of our clients had this problem happen to them a couple of times before they ended up moving to a different hosting company to solve the problem. If a website does get hacked, every possible hole needs to be plugged or it is likely the website will end up hacked again within 24 hours.
It is important that you keep your WordPress website updated. Make sure that you run plugin updates as well. If a plugin has not had an update in quite some time, I would consider finding a plugin to replace it with that is better managed. The same goes with themes. The theme or framework of the website needs to be updated as well. Old code results in holes that allow malicious attacks to come through.
Take WordPress security serious. It is a problem but it can be solved by being proactive. Work with a company that understands WordPress and the security issues involved with the platform.
If we can help, please reach out to us.