At Perfect Leap™ we’ve recently noticed an uptick in the number of customers coming through our door whose websites are either backdoored or infected with malware. We wrote this article to explain some of the steps you can take as a business owner to better protect yourself against these types of attacks.
Understanding WordPress attacks
In order to first understand the nature of WordPress attacks, you must first understand why these attacks are becoming so prevalent. Given that WordPress is one of the most popular content management systems (CMS), powering approx. 30% of websites on the internet, most people are familiar with what the platform is and what it does.
As a community project, WordPress itself is generally secure, receiving frequent updates from both members of the community, Auttomatic Inc (the company behind WordPress) and professional organizations who rely on WordPress as their daily driver.
That said, given that it’s open source, WordPress is also open to modification / customization which is commonly handled via the use of plugins. If you’re a WordPress user, you’re probably already familiar with what a plugin is and what it does – but therein lies the problem.
1) The danger of WordPress plugins
Because WordPress plugins make things easy, almost anyone can call themselves a web developer these days. But the truth is, real developers understand the code that is driving the platform. If you aren’t familiar with HTML, CSS and PHP, then you will have no idea what a plugin is actually doing in the background. Hence we’ve noticed a large uptick in business owners who either attempt to cut costs by self-administering their websites, or by hiring someone who doesn’t really know what they’re doing. Both of these options can end up being more time-consuming and costly!
Dodgy plugins and themes are the #1 source of malware on a WordPress site. Unfortunately this makes things a lot more difficult for the average person – if you don’t know exactly what a plugin does under the hood, then you probably shouldn’t install it. And no, you can’t trust plugin reviews – we’ve seen email / SMTP plugins for example with over a million downloads that store e-mail passwords in plaintext. You don’t have to be a computer security expert to understand why that’s a bad idea!
2) So many updates… so little time
How ofen do you update your plugins and the WordPress core itself? We’ve seen business owners let their website updates lapse for up to 2 years! In one case, the result was an ancient vulnerability enabling easy access to their site, which then allowed an attacker to slip in unnoticed and insert malicious code that would redirect users to their own servers (where they could end up downloading malware onto their computers).
We’ve also seen websites get defaced and downright replaced. It doesn’t take a WordPress scientist to tell you why putting your brand and customers at risk is a bad thing!
3) No SSL? Not cool!
In July of 2018, Google began marking all non-HTTPS sites as “Not Secure”, leading to a big scary “warning page” for any Chrome users browsing an HTTP site. Unforunately for the many people who opted not to secure their website with an SSL certificate, this may have led to a steep drop in visitor traffic, as Google’s Chrome browser is used by more than 60% of users visiting the web.
In addition, not having SSL on your website means the traffic between your web server and your site visitors is not encrypted. This means anyone visiting your page is going to be sending any information they punch in as plaintext – again, it doesn’t take a coding genius to explain why that’s a bad thing!
4) You get what you pay for – especially when it comes to web hosting
A $5 shared hosting plan may look when you’re crunching the numbers, but you’ll pay for it later when your website traffic starts picking up. After all, isn’t attracting visitors (and hopefully converting them into customers) one of the main goals of creating a business website in the first place? You don’t want your visitors experiencing slow load times (a major factor in Google’s SEO algorithm), or worse, getting redirected to malware because the low-budget hosting provider’s DNS is poisoned.
In addition, the last thing you want to be dealing with is slow, email-only support when your site is down: something that happens often with cheap shared hosting packages (imagine if your site was offline for a week because your hosting provider took 48 hours to respond?) Sometimes, you really do get what you pay for.
5) Too many bells and whistles, plus the kitchen sink
We already explained why un-verified plugins are a bad idea, but did you know that having too many plugins can also cause problems? We’ve seen cases where customers came to us with upwards of 47 plugins installed on their site! This slows down site load dramatically, but worst of all it’s completely unnecessary and it creates a huge security hole. Think about it: if you have 47 plugins installed, that’s 47 plugins you need to update – almost every week! You don’t need a plugin, for example, to add a favicon to your site (yes we are quoting an actual example we came across). That functionality is built in to WordPress!
At Perfect Leap™, can you guess how many plugins the pages we design ship with? The answer for most of our sites is two. That’s right – only TWO plugins, and one of them is shipped by the company that develops our base theme! (the other one is an approved plugin for handling SEO). That’s one reason why pages we design often score very high on Google Page Rank and GT Metrix:
6) Weak passwords / too many admins
This seems to be a common theme in tech – people use weak passwords because they’re easier to remember. But using a weak password on your WordPress admin account is just a bad idea. WordPress sites contain no native support for 2 factor authentication – and using a 3rd-party plugin that handles logins means the code in those plugins must be vetted thoroughly on a regular basis if you want to ensure the utmost security if your site.
Instead, you’re better off using as strong of a password as possible and rate-limiting your login page on the server-side to prevent brute-force attempts. We have seen some plugins out there that are fairly effective at preventing login attacks (by locking the user out for a specified amount of time), but as we already mentioned we prefer to avoid using plugins whenever possible (are you picking up a common theme here)?
In addition to weak passwords, many WordPress sites we come across contain multiple admin accounts. Do guest bloggers and SEO consultants really need full admin access to your site? Probaby not! Instead, consider granting them Author right (if they only need to edit their own posts) or Editor right (if they need to edit everyone’s posts) instead.
7) Getting overzealous with DIY
As with any other knowledge-based field, technology is vast and it takes a lot of time and effort to stay on top of the latest threats. It’s fine to want to learn to do something yourself, but if you aren’t prepared to roll up your sleeves, you may end up with a hacked or poorly-performing site.
That’s why Perfect Leap™ offers managed WordPress packages for business owners who would rather focus on growing their business than worry about operating a website. All our packages come with:
- Automatic SSL (HTTPS) encryption
- Automatic daily database backups + weekly site backups w/ 1 month backup retention
- Cutting-edge container technology – ensures site consistency + rapid server upgrades
- Hassle-free hosting – We manage your DNS + systems tweaks for you – no need for CPanel or other similar setups
- Login rate limiting / brute force attack protection – no need for a plugin – we limit login attempts on the server-side
GET YOUR WEBSITE POWERED UP WITH PERFECT LEAP™
If you’re interested in making the Perfect Leap to fast, secure hosting, call (604) 992-8178 or email firstname.lastname@example.org