Pearls of wisdom
WordPress and security issues
The increase of episodes of website hacking is leading many to conclude that there’s a big problem with WordPress and security. However, the situation isn’t down to problems with WordPress itself, rather site owner’s lack of knowledge and also their expectations!
Promoted as a “cost-effective” solution that makes adding content and images a breeze, WordPress can seems the perfect website solution. In fact there are many companies out there who’ll have you up and running with a WordPress website for a few hundred pounds.
Or, if you’re willing or just hard up you can do the job yourself, setting up your own absolutely free WordPress website (apart from the hosting costs).
Whose to blame for security issues with WordPress?
We live in a culture where we like to find someone or something to blame when things go wrong and this is a common scenario in a situation where a WordPress website has been compromised.
First off, you could blame the web developer, especially if you’ve paid for a shiny, ‘up and running’ site where all you need to do is add and edit content. Or, you might blame the hosting company, surely it’s their job to keep sites secure on their servers? Realistically, hosting companies can’t be held responsible for the problems that are actually caused by owners of individual sites on their servers
Faced with a security breach and a site being compromised, it’s an easy way out for the website developer to blame the hosting company. After all, the issues will have most likely have occurred from within the hosting environment, rather than as a result of a direct action by the site owner or web developer.
In my opinion website developers who set people up with WordPress websites without explaining the associated risks and level of owner-care required should really shoulder some of the blame when a site gets’ compromised. It’s not just a case of being told about possible issues, forewarned is forearmed etc, but the lack of adequate training (minimum 5 or 6 hours), delivered along with the keys to every new high performance WordPress website, is sadly lacking.
I’m now going to briefly cover 3 basic security aspects WordPress site owners should be aware of, in respect of avoiding their sites being compromised. The percentages illustrated below, with reference to Hosting, Themes and Plugins are, in my opinion, representative of the importance I attach to site owner responsibility if they want to minimise the possibility of security compromises.
Appropriate hosting for the website you are running is as important as knowing what fuel to put in your car. We all know what happens when the wrong fuel in a car is put into the tank, but there’s little awareness of the possible adverse impact of the wrong website hosting option being chosen.
Cheap hosting is like cheap airline trips, it’s a no-frills flight, all crammed in together. If you’re paying under £15/month for website hosting you’re likely to be on a shared server, with potentially many hundreds of other sites occupying hosting space directly next, behind and in-front of yours.
If there’s a problem on the Server, security-wise, it could affect more than just one site because they’re all on there together – does that make sense?
So, you may have done all you should be doing to keep your WordPress website secure, but your neighbours aren’t and the Server space is a communal environment.
VPS (virtual private server) is really the basic requirement for hosting of a WordPress.org website. It is still shared hosting, but this time everyone has their own room, with their own front door. The important aspect you need to ask about is whether the VPS is a ‘Managed Server’ (actually managed by a ‘real’ person).
Too many website sales companies are now taking on a VPS, but minus the ‘managed’ option which incurs considerably more cost of than associated with running an unmanaged VPS. Many website/marketing companies who take on a VPS server then sell hosting space to their website owner clients.
You, as the potential website owner, need to ask the question “Who manages the server” and expect to receive details such as the identity of the person who manages the server and where they and the server are located.
In terms of ‘best practice’ and security, a web hosting Server needs to be located in a secure, dedicated Server building (simple as that).
Your chosen WordPress theme contains a set of rules that govern things associated with layout, it’s all about colours, fonts, spacing etc. What’s amazing about using something like WordPress is the ability you have at your disposal to change the look of your site quickly and easily through choosing any one of thousands of different themes.
However, the important thing to remember is to make sure you choose ‘quality’ themes. This doesn’t mean you have to pay for a theme, in fact there are many really good quality ones that come for free, but only use these if they are listed in the theme selection option from within the WordPress Admin area. Do not (DO NOT) use free themes that you find online, as they may be the cause of future grief.
Secondly, if you’ve been provided with a theme, designed just for you, it’s likely to have been based on an already existing theme the developer has sourced from somewhere. Too often people are charged for ‘custom themes’ which are in fact more or less copies of some basic and often free theme the developer has sourced.
You get what you pay for, generally, so if you’ve got a ‘custom theme’ and your site only cost you a few hundred pounds then it’s probably unrealistic to expect you’ve got a theme that’s unique, developed from scratch, just for you!
The issue with themes is that they need to be ‘supported’ and regularly updated by the developer, in line with ongoing security updates WordPress rolls out. If your theme isn’t being maintained then you’re essentially, over time, contributing to security vulnerabilities developing (rather like holes appearing in fabric as it gets too thin).
Custom themes based on free themes that are available from within the WordPress Admin area, such as Twenty Twelve, Twenty Thirteen etc. are absolutely fine, so long as they are set up properly as a ‘child theme’ so that any updates applied to the parent (source of the theme) are passed onto the child.
I could write a lot about Plugins and security issues, which I may well do in a later post. Suffice to say, these are the cause of many a hacked site due to lack of support by the Plugin developer which results in the same outcome as for themes when they’re not updated.
Plugins that are supported need updating regularly and site owners are notified of the need to do this, from within the WordPress Admin area. However, it’s common that either the updates aren’t done because no-one’s checked into the site for a while, or people are afraid that if they ‘update’ something might go wrong (so best leave well alone).
There’s also much bad practice out there from companies supplying clients with WordPress websites. These companies sell WordPress sites all set up and ready to roll for a few hundred pounds, with a suite of Plugins they install. It all looks good, but they don’t realise, or don’t care, that some of the Plugins may not be compatible with the latest version of WordPress. True, the Plugin developer may soon update things, but then again…
Just as with other things we buy in life, you’re best advised to do some research before you purchase. Entering the world of websites requires a high degree of ‘buyer beware’.
Unfortunately, in the territory of websites the environment does tend to be rather murky, populated with many one-eyed people (“in the land of the blind, the one-eyes man is King”).
Getting help with WordPress
I hope you’ve found this brief overview of WordPress security helpful, I could go into much more detail but you’d probably have glazed over!
I train businesses owners to use WordPress. I write and deliver courses for the eBusiness club on working with WordPress. I set up WordPress websites for clients and help them develop their site layout and content.
If I can be of help to you with helping you get the best out of a WordPress website, please get in touch and we’ll have a chat to see how I might best be of assistance.
Other posts that may be of interest
Why isn't WordPress more secure?
Actually, as a package WordPress doesn’t have inherent security problems and is frankly pretty fabulous as a website platform.
Clean, lean coding make the potential of having a WordPress website the equivalent of owning a finely tuned sports car with beautiful lines.
However, just as you really need to know what you’re doing when driving a performance car, if you want to avoid having a crash, you need to get informed about what’s important to know when running a website on the WordPress.org platform.
Know it or not?
Did you know that WordPress security guideline recommendations, published on their website, run to about 12 pages?
The majority of people with a WordPress website aren’t aware of the security issues associated with running any database driven website.
Many think that security aspects, in respect of their website, shouldn’t be their problem. Any ‘fault’ lies with the Developer, the Hosting Company or WordPress itself. I’m afraid this is wrong!
Why websites get hacked
Because they can be, but don’t take it personally!
Hacking is not generally about specific targeting, just mass targeting to find websites that are vulnerable, often through simply elements such as Themes and Plugins not having been updated.
Attacks on hosting servers happen all the time, it’s like an ongoing battle against aliens.
Picture hundreds, if not thousands of little meteors hitting the Server at all hours of the day and night – this is just the way it is these days, so it seems.
What WordPress is doing to help website security
Recently, WordPress has included a suggested Password, to encourage site owners to appreciate the complexity of password required to avoid site security breaches.
Some time ago WordPress introduced automatic updates, in respect of the WordPress version, which works well for many installations.