One service we automatically do for our clients whose sites we maintain is to make sure that everything is up-to-date. We check the WordPress sites we manage daily to make sure that there are no issues.
The reason this is important is; much like you get spam calls to your phone, there are ‘spam’ calls to your site. These ‘calls’ come from various parts of the world. You may know the term ‘hacking’; which refers to any individual who works to gain unauthorized access via technology. While not all hackers are bad, (white hat, black hat, and gray hat are all terms that are used to define the different hacking) some purposefully try to cause harm to a site. Therefore, it is so important to maintain your site by keeping it updated and current.
We do our best to keep up-to-date on the various issues found and updates required. Whether a plugin is out-of-date and needs to be replaced, or a plugin requires an update due to a vulnerability found (generally by a hacker/security/IT person), we work hard to check daily to be sure our managed sites are in good shape.
If you maintain your own site, make sure you are keeping your plugins up-to-date! Both Wordfence and iThemes send out monthly reports and updates on vulnerabilities that are found, who found it and if they have been fixed. Unfortunately, though, not all authors address the issues immediately once discovered.
The five most common security issues are:
- Brute Force Attacks
- File Inclusion Exploits
- SQL injections
- Cross-Site Scripting
- Malware
Brute Force Attacks are just like they sound. Imagine someone kicks at your door. They keep kicking until they find the weakness, that breaks the door open. The cause can be something as simple as forgetting to lock the deadbolt or the door was a hollow core instead of solid. When it comes to WordPress websites, the door is your login page, where someone tries out usernames and passwords (they try to guess) in order to get into the back end of your website. They will keep doing this until they finally gain access.
Some options are: install a security control (such as Wordfence, iThemes, Sucuri, etc.) which have an option not only to prevent the number of attempts that someone is allowed, it times them out and/or can blacklist that IP address. NEVER use “admin” as your username. Change the location of your wp-login page. Make sure you have a strong password. (Also, WordPress now has two-factor authentication allowing you to take your security a step further.)
File Inclusion Exploits: PHP is a coding language, and it is often attacked to gain access to important files that can allow someone to gain access to all your files. Think of a file cabinet or safe that holds important documents but isn’t locked. In order to ensure the safety of your documents, all you have to do is turn the key or spin the dial. The best prevention: having a security plugin installed that is up-to-date. There are several ways to make sure your important “core” files are locked up. The easiest method is to install a security plugin; letting it do all the hard work for you. Some security plugins are easier to set up than others; just do your research and find one that has great ratings and is user-friendly.
SQL injections: Hello database! PHP is not just used by WordPress. There are other sites out there that use PHP, and ASP, and other coding languages. The thing they have in common? Databases. Databases are the place you store your information. (The file cabinet or the safe.) SQL injections are like placing a mouse into the file cabinet and letting it have its free run of the inside. It will chew on the papers, leave mouse droppings, and cause other malicious chaos – not only corrupting one piece of paper but many files. Let’s not think about if it decides to have a litter; which then leaves that drawer and infects the other drawers and anything else they can get into. Finally, think about the “mice” (injections) leaving the file cabinet altogether and infesting other file cabinets!
Cross-Site Scripting (XSS): Sometimes, you may receive an email that says you need to reset or change your password, and it offers you a friendly link to help. So, you click on that link, which takes you to a form. The form asks you for all your pertinent information to make you “safer,” and the next thing you know, you are dealing with some form of identity theft or missing money. Sure, this may be extreme, but cross-site scripting is just that. It is a way that someone gets into a form and infects it to steal your information. It is not just on a site but can be sent in an email. Too many people fall victim to this.
If you receive an email like this, don’t click on the link – go to the website address it gives you on your own. This way if it is a “fishing” expedition you won’t inadvertently give away your information. If it isn’t, then your site will let you know that you really need to do these things. The vast majority of the time, it is just someone trying to get your information. Statistically, 84% of the time. That is a huge percentage. Most financial institutions will never ask you in an email for your information. If you need to reset your password, they don’t need ALL of your information to do it. When in doubt, just call or go in to find out if they need the information.
Malware: Ahhh malware. Malware is the octopus of attacks. It has many versions of itself and how it can attach to your life.
Sometimes it comes in through a backdoor (an unseen vulnerability in code or weak passwords, etc.); through “drive-by” downloads – it can attack by a virus you unwittingly downloaded by clicking on a pop-up link (perhaps saying you needed your computer scanned) or a .zip file or .exe file that was emailed to you, Pharma-hacks, exploits in WordPress itself, which create issues search engines can only see (and can get your site gets blacklisted!). Then there are malicious redirects; where you click on a link that is supposed to take you to one site but you end up somewhere else instead. Note: Make sure you have a virus scanner on your computer. Windows Defender comes automatically with Microsoft Windows. There are other programs out there as well. If you do download a file, you can right-click and run a scan on it. There are other programs out there such as Malwarebytes, that can scan and look for malware on your computer that works in conjunction with your virus programs. Always make sure your programs are up-to-date.
Unfortunately, there are a lot of things out there that can cause problems to your site. Fortunately, they are mostly preventable and/or fixable. Keeping your site up-to-date, adding a security plugin, making sure your passwords are strong (and ones you can remember) are extremely important, yet they are all simple things to do. Back-up your site regularly in case you have issues and you need to have a clean install or you need to do a fresh WordPress install and not lose all your information.
