Often at Clockpunk Studios, we hear some variation of the following question/concern regarding WordPress:
“My friend has a WordPress site, and it got hacked. I’ve heard that WordPress has a lot of security problems, so I’m worried about using it.”
We completely understand these concerns, and a few years back, we were also concerned about the security of WordPress itself. However, we don’t believe that WordPress itself is fundamentally insecure, and I’ll try to explain here the reasons that WordPress sometimes has a reputation of being insecure. In short, WordPress is a victim of its own popularity and success.
Right now, WordPress is the software running around 27% of all websites in the entire world. For as diverse an ecosystem as the world of web development is, that’s a pretty astonishing number. WordPress competes with literally hundreds of content management systems for market share, and that this number is so high means that an awful lot of developers have confidence in WordPress as their platform of choice. It means there are tens of thousands of people (maybe even millions) working together to develop resources for WordPress in the form of plug-ins and themes. You could develop your own content management system from scratch, but why do that when, by using WordPress, you effectively have an enormous development team working to provide you new features and tools. There’s a real cost savings there that can’t be ignored!
This popularity comes with one major downside. If you’re a hacker looking to develop an automated tool to easily compromise the most sites you can, WordPress is an obvious choice. If you write one solution that might hack 27% of the entire World Wide Web, then that’s a good, effective use of your resources as well.
And it’s not just your website the attackers are after; it’s your resources. One main reason many are looking to compromise WordPress websites is so that they can redirect your search engine traffic to spam websites selling black market pharmaceuticals and so on, or to send spam email. Just because you don’t have credit card information on your site doesn’t mean they aren’t interested in accessing and utilizing your site’s resources to do various nefarious things. It’s nothing personal. Your site is just one of tens of thousands their automated tools have targeted, and if it finds an exploitable point of entry, it will use it.
While WordPress is easy to get set up and running, it doesn’t do the greatest job of explaining to amateurs how to configure it for better security (although it’s getting better). WordPress doesn’t force you to update it and its plug-ins and it doesn’t force you to have a strong password (although it tries to encourage you to do those things). Because WordPress is so easy to configure and set up, there are an awful lot of WordPress websites out there, and some are running old, compromised versions of plug-ins or core. Many people are using passwords that aren’t strong enough. And sometimes, web hosts don’t do the best job of securing their servers against intrusion.
The result of all this is, you’ve heard stories about WordPress sites being hacked. Fortunately, it’s pretty easy to avoid or at least reduce the possibility of a security breach. Clockpunk Studios clients have these actions taken for them, mostly, although we don’t dictate anything about your password, so update your passwords to a stronger, longer one if you haven’t already. Here’s what we do: nightly off-site backups to restore from in the off-chance a site is compromised, daily updates of core and plug-ins, and we perform some medium-level difficulty security hardening practices to make your site less tempting to hackers. A good plug-in to help in doing many of those tasks is the Sucuri Security plug-in. It’s one we use often ourselves.
So what can you do if you already have a WordPress website and you want to keep it safe? Use a password that is as strong as possible. If it’s easy to remember, it’s probably easier to hack. Look at using a password management tool to help you with all the passwords you have to maintain rather than using the same password everywhere. Keep your site’s core and plug-ins updated (if we’re not doing that for you). Finally, if you are really concerned or have been compromised in the past, you can hire a professional to do a security audit, to put some additional security hardening in place. Clockpunk Studios is happy to help secure WordPress websites against attacks, whether you’re an existing client or a new one.
There’s no 100% fool-proof solution against a site being compromised, and attacks do happen. They’re usually a pain to recover from, mostly in time spent disinfecting and restoring things that were altered. In the end, we don’t believe that WordPress has a security problem or that it is inherently insecure; the entire internet has a security problem. With some basic and standard practices, we can do a lot to keep our websites secure against attacks.