The Importance of Maintaining your WordPress site, and how to do it.
As of 2021, WordPress powers 40% of websites and has a 61% market share among all CMS platforms. On any given day, more than 500 sites are being built in WP versus 70 or so in other platforms like Squarespace or Shopify.
With such exposure, it’s no surprise that malicious actors are constantly poking at its structure and thousands of WordPress are being exploited.
Because of its high usage, and consequently, a high number of infections, WordPress will sometimes get frowned upon by some developers but, for the most part, it’s secure.
The truth is that, no upkeep will be 100% attack-proof but there are several ways in which you can minimize and mitigate potential breaches to your WordPress website.
Why do hackers hack?
From my experience, the vast majority of WordPress exploits are intended to:
- Hijack traffic – redirect users to other sites to produce Ad impressions, fake traffic, etc.
- Build backlinks to their services, be it fake viagra pharmacies or other black-hat SEO practices.
- Distributing malware, crypto mining, etc.
When a vulnerability becomes public, hackers will write a BOT that will scour the web, looking for that open door. If it’s found, they will infect the site and proceed to the next.
It’s rarely a targeted attack. I often joke: “don’t take it personally, they’re not focused on messing with just you. There isn’t one guy sitting at a machine poking at your server by hand”
You can drastically reduce the chances to get of facing such situations by employing the following advice.
If you could predict an accident, well, they wouldn’t be called an accident. Even the for most diligent website maintainer, problems may still occur. For instance, your website may crash while updating a theme or plugin. Or, a hacker group discovered a plugin vulnerability before the developer could have a chance to fix it.
There is no perfect strategy to avoid these situations. But getting out of the hole quickly will save you face and minimize loss of reputation. Having backups and being able to get them restored quickly is the way to go.
Ahh, and yes run a backup prior to all updates!
Back-up strategies (use all of them!)
Hosting company backups – Most hosting companies will offer automated backups and a quick way to restore your site to a past snapshot. WordPress dedicated managed hosting services will allow for virtually instant restores (and good support)
Backups within the file system – you can use a plugin to make daily backups and store them locally
Offsite backups – In the spirit of multiple safety points (and a pinch of paranoia) I highly recommend having a backup outside your hosting company. Some plugins will deposit a copy of your files and database on an external service. If the site is small, you could have it emailed it to you. If it’s big, I would consider an external repo, like Amazon S3 or some Virtual drive (Google Drive, Onedrive, etc)
My goto choice for WordPress backup plugin is UpdraftPlus
Check your backups – It’s a good idea to, once in a while, check to see your backups are running properly and it’s also a good idea to see the backups are restorable.
You gotta keep’em updated
That could be a good place to start. Go to: https://your-site-domain.com/wp-admin/site-health.php
…and check if you are running the recommended version of PHP as well as other recommendations on that page.
One of the beauties of WordPress is the off-the-shelf functionality that can be quickly added via almost 60 thousand plugins available from the WordPress directory.
From time to time, some plugins will become vulnerable and once this flaw becomes known, you will have to fix your website very quickly.
Since the plugins are developed outside of the WordPress Foundation, make sure to install your plugins from reputable developers, preferably from the official repository.
A theme is responsible for giving an excellent visual look to your website. It controls the layout, typography, colors, and other design elements of your website. Your theme may get updates to add aesthetical features but it may also have updates related to the core or related to security.
Theme and plugin choice – When you choose a 3rd party plugin or a theme, you want to make sure the developer will promptly patch potential issues. Selecting Plugins and Themes is much like shopping online or choosing a restaurant. You should probably look for 4/5-star reviews and ones that have gotten lots of downloads.
Beware of themes that pack ‘branched out’ plugins within their codebase. Should some of those plugins become vulnerable, it may become a nightmare to fix and maintain.
Core and Minor version updates
If a WordPress version includes an important security update, then you should run that update. If a major update does not include a security fix, I would make sure it will work with your existing Plugins and Theme… which leads me to my following topic…
I updated my site and it has gone haywire!
You ran an update and the site’s gone bad. Well, at least you have a backup and can restore the site to its previous state. But for a few moments, the site was broken, which can be, err, embarrassing.
Don’t do your updates in production.
The proper way to avoid downtime and frustration is to run your plugin updates in a sandbox environment and see how it’s working. If something goes wrong, you will need to troubleshoot where it happened. But that’s another chapter in itself.
When an update goes well in your staging environment, then you can have more peace of mind about running your updates in production.
How do I know about new vulnerabilities?
One way to be “in the know” about these, is to join mailing lists that will announce all zero-day WordPress vulnerabilities, new malware variants. I highly recommend joining Wordfence’s WordPress Security Mailing List. That list has saved me some aggravation.
Comments- Avoid spam comments
Having a comment section on your website is always a good idea as it will help you increase interactivity with your users. But some people can use this section for their interests. For instance, they can add different links in your comment section. And that can hurt you.
Now, this is your responsibility to remove those spam comments. Because those comments will make a wrong impression on your visitors, always keep an eye on your comment section to maintain a healthy website.
Consider Managed Hosting
If your server has a backdoor, follow all of the aforementioned recommendations will not be enough if a hacker can still access to the file system or a database.
Using managed hosting will help you take that piece “off your plate”, especially if you don’t have the System Admin skillset or the time to do it.
A managed hosting company will take care all the server patching, DDoS mitigation for you as it is leveraging its know-how among all its clientele.
A good Managed hosting will provide you with daily backup snapshots as well as staging sandboxes where you can perform your mad experiments in privacy.
We highly recommend WP Engine as a hosting company.
Security Plugins are helpful. I highly recommend Sucuri Security. The free version is chock full of features that will harden your installation and the paid subscription will include some additional Firewall features.
I usually tell my clients that, “WordPress” is not Microsoft Word, where you just type pages and that’s it. A WordPress website is, in many ways, like your house plant. You need to water it, prune it, give it some sun, etc
Leaving it alone will just not cut it in the long run.
At Daneli Consulting, we’ll help you minimize the risk of attacks and preserve your reputation. If you do get hacked, please contact us and we’ll help you get out of trouble.