Is your site secure? Since the latest WordPress security vulnerability has become known, I have had a number of people ask us if WordPress is a safe platform to build a site upon. In short, the answer is ‘Yes’. There are a few reasons why it seems there are always WordPress sites being hacked. This is mainly due to WordPress powering nearly 75 million sites on the internet and not all of these are employing proper security techniques. I will be covering how to lock down your site later in this article but first a run down of what the latest security scare was and what it means for WordPress site owners.
Posted by the very popular security website, Sucuri, their explanation of the vulnerability is outlined below:
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress. The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.Sucuri
To correct the issue a lot of theme and plugin developers were required to update their products that misused these functions. Some of the most downloaded plugins were affected including Yoast SEO, JetPack, Gravity Forms and many more. Most plugins were fixed some weeks ago, so no need to panic if your site is running these particular plugins as long as you have performed the required updates.
To make sure your site does not fall victim to this vulnerability it is crucial that all themes, plugins and your WordPress core are up to date. Before making these updates please make sure you take a full backup of your site in the rare case that something breaks. This point cannot be stressed enough.
Site security should always be in the back of the minds of site owners. A lot of people think their site will never get attacked but even a low traffic site will get hit daily by bots trying to force their way into the WordPress admin panel. This information is not designed to scare you but simply make you aware of the type of threats that are out there.
So how do we make sure your site is protected?
The good news is there are a few things you can do to make sure your site is as protected as possible. We say as much as possible because a website can never be 100% safe. So let's break down what can be done.
Choose a good hosting provider
The term ‘You get what you pay for’ couldn’t be more true when it comes to hosting. Did you know that 41% of successful WordPress hacks were due to hosting? That is a surprising number so it pays to do your homework and research before deciding on a provider. I’m not saying you need to buy the most expensive hosting package out there, but be careful and don’t think you are getting a great deal at $3 a month.
Install a security plugin
There are some great plugins (both free and paid) that add a ton of cool security features to your site. Our personal favourite is iThemes Security as it is very powerful, lightweight that offers many features. There are two versions available, free and premium, with the free version will do most things you need. The best feature of iThemes Security is the ability to scan your WordPress core, plugins and theme files for suspicious looking code that shouldn’t be there. Other security plugins worth mentioning are Wordfence and All in One WP Security and Firewall.
Backup and restore plugins
In the past I have had people contact me about their recently hacked site asking me to restore it to its former glory. The truth is without a backup this is nearly impossible to do without re-building it. Often when hackers get into a site they will take whatever information they can and then sometimes start deleting files and assets off the server. Once files are removed from the server they can not be recovered unless there is a site backup. Most often your hosting provider will take nightly backup of the server however they usually only keep the most recent 7 days. This may sound well and good but what if the piece of malicious code responsible for the hack was laying dormant in your site for a month? All their backups would still contain the culprit causing the issue and you would have the same problems all over again.
A great way to avoid this scenario is to install a backup plugin and keep copies of your site on an external hard drive or your computer. As a rule of thumb I take a nightly backup of the site database and a weekly backup of all site files and assets. If you run an online store or site that adds new content daily, I would recommend nightly backups for both files and database. Be sure to schedule these backups at a time when your site has low traffic as the backup will put a bit of performance pressure on the server and may affect the viewing experience for your visitors.
I personally use UpdraftPlus Backup and Restoration because not only can you create schedules for automated backups you can also push the backups to third party storage services like dropbox. There is no point keeping all your backups on the server if you are unable to access the server if it gets hacked.
Updraft also has the ability to restore your site from previous site backups and the best part is it’s completely free with the option to upgrade for other premium features.
Secure your site files with .htaccess
A .htacess file can be a powerful tool to your hosting environment. It provides a set of rules that tells your server how to handle directory indexing and which files can be accessed directly or not. These rules prevent attackers from trying to inject or change code in your WordPress core, plugins and theme files. This file can be a little technical and without the right knowledge can break your site altogether. I recommend getting a developer to check over your .htaccess file and make sure it is configured properly to your WordPress setup. SevenDev provides this as a service for $100 AUD.
Well that’s it for now. If your site is using these few techniques you are giving your site the best possible chance against an attack. Remember, it’s not good enough to just prevent an attack - you also need to be able to recover from one. There are a ton of other security tips that can harden up your WordPress site but that will be covered in a future post.
If you want your site to have all these great features, but are unsure how to do it yourself, feel free to contact us and we can make sure you are protected. We offer great services at even better prices.