At Perfect Leap™ we’ve noticed an uptick in the number of businesses whose websites are either backdoored or infected with malware. This article explains some of the steps you can take as a business owner to better protect yourself against these types of attacks.
Understanding WordPress attacks
In order to understand WordPress attacks, you must first understand why these attacks are becoming so prevalent. Given that WordPress is one of the most popular content management systems (CMS) powering approx. 30% of websites on the internet, most businesses use WordPress to power their websites.
As a community project, WordPress itself is generally secure, receiving frequent updates from both members of the community, Auttomatic Inc (the company behind WordPress) and professional organizations who rely on WordPress as their daily driver.
That said, given its open source nature, WordPress also allows heavy modification / customization which is commonly handled via plugins. If you’re a WordPress user, you’re probably already familiar with what a plugin is and what it does – but therein lies the problem.
1) The danger of WordPress plugins
Because WordPress plugins make modifying a website super easy, almost anyone can call themselves a web developer these days. But the truth is, good developers understand the code that is driving the platform. If you aren’t familiar with HTML, CSS & PHP, you have no idea what a plugin is actually doing in the background. Hence why when business owners either attempt to cut costs by self-administering their websites, or by hiring someone who doesn’t really know what they’re doing, both options end up being more time-consuming and costly.
Dodgy plugins and themes are the #1 source of malware on a WordPress site. Unfortunately this makes things a lot more difficult for the average person – if you don’t know exactly what a plugin does under the hood, don’t install it. And no, you can’t trust plugin reviews – there are email / SMTP plugins with over a million downloads that store e-mail passwords in plaintext. You don’t have to be a cyber security expert to understand why that’s a bad idea.
2) So many updates… so little time
How often do you update your plugins or the WordPress core itself? Some business owners let their website updates lapse for months on end! In some cases, the result is an ancient vulnerability enabling easy access to their site, which allows an attacker to slip in unnoticed and insert malicious code that would redirect users to their own servers (where they could end up downloading malware onto their computers).
Websites also get defaced by hackers, whether for fun or demanding some sort of ransom. It doesn’t take a WordPress rocket scientist to explain why putting both your brand and customers at risk is a bad thing.
3) No SSL? Not cool!
In July of 2018, Google began marking all non-HTTPS sites as “Not Secure”, leading to a big scary “warning page” for any Chrome users browsing an HTTP site. Unfortunately for many folks who opted not to secure their website with an SSL certificate, this has led to a steep dropoff in visitor traffic for unsecured sites, as Google’s Chrome browser is used by more than 60% of users visiting the web.
In addition, not having SSL on your website means the traffic between your web server and your site visitors is unencrypted. This means anyone visiting your page is going to be sending any information they enter as plaintext – oops, that’s not good!
4) You get what you pay for – especially when it comes to web hosting
A $5 shared hosting plan may look good when you’re crunching the numbers, but you’ll pay for it later when your website traffic starts picking up. After all, isn’t attracting visitors (and hopefully converting them into customers) one of the main goals of creating a business website in the first place? You don’t want your visitors experiencing slow load times (a major factor in Google’s SEO algorithm), or worse, getting redirected to malware because of DNS is poisoning.
In addition, the last thing you want to be dealing with is slow, email-only support when your site is down: something that happens often with cheap shared hosting packages – imagine if your site was offline for a week because your hosting provider took days to respond?
Sometimes, you really do get what you pay for.
5) Too many bells and whistles, plus the kitchen sink
We already explained why un-verified plugins are a bad idea, but did you know that having too many plugins also causes problems? We’ve seen cases where customers came to us with upwards of 47 plugins installed on their site! This slows down site load dramatically, but worst of all it’s completely unnecessary and it creates a huge security hole. Think about it: if you have 47 plugins installed, that’s 47 plugins you need to update – almost every week! You don’t need a plugin, for example, to do something simple like add a favicon to your site. That functionality is already built in to WordPress!
At Perfect Leap™, most of our sites have just two plugins installed. That’s one reason why pages we design often score very high on Google Page Rank and GT Metrix:
6) Weak passwords / too many admins
This seems to be a common theme in tech – people use weak passwords because they’re easier to remember. But using a weak password on your WordPress admin account is a bad idea. WordPress sites contain no native support for 2 factor authentication.
You’re better off using a strong password and rate-limiting your login page on the server-side to prevent brute-force attempts. We have seen some plugins out there that are fairly effective at preventing login attacks (by locking the user out for a specified amount of time), but as we already mentioned we prefer to avoid using plugins whenever possible because of security & performance.
In addition to weak passwords, many WordPress sites we come across contain multiple admin accounts. Do guest bloggers and SEO consultants really need full admin access to your site? Probably not! Instead, consider granting them Author right (if they only need to edit their own posts) or Editor right (if they need to edit everyone’s posts) instead.
7) Getting overzealous with DIY
As with any other knowledge-based field, technology is vast and it takes a lot of time and effort to stay on top of the latest threats. It’s fine to want to learn to do something yourself, but if you aren’t prepared to roll up your sleeves, you may end up with a hacked or poorly-performing site.
That’s why Perfect Leap™ offers managed WordPress hosting for business owners who would rather focus on growing their business than worry about operating a website. All our hosting plans come with:
- Automatic SSL (HTTPS) encryption
- Automatic daily database & site file backups
- Fast loading times
- Protection against cyber attacks
- 24 x 7 Website Outage Monitoring
- Hassle-free hosting – We manage your DNS + systems tweaks for you – no need for CPanel or other similar setups
- Plugin-free login rate limiting / brute force attack protection