Securing a website in this day in age (even a small one) is increasingly becoming more difficult. And if you’re using WordPress, you might as well have a big old bullseye on your back. Between nefarious people and relentless bots, every minute of every day has become a battleground.
The truly stunning part of this is that you can pretty much do all of the right things and still end up with a hacked site. Go ahead and keep your plugins and theme updated. Run a security plugin or put up other barriers to entry. Do all of that and you may still find yourself in a compromised position.
Just recently, I found this hard fact out for myself. I helped a colleague with a site that faced numerous issues – despite our thought that we were doing things the “right way”. It inspired me to sit down and think about the experience. With that, here are some thoughts about what I’ve learned and some theories as to further steps we can take to better secure a WordPress website.
The Past Can Haunt You
WordPress core, plugins and themes all have their own security flaws. The core usually gets patched up quickly, while you hope and pray that plugins and themes get the same type of treatment. But as we’ve seen, plugging holes is not always enough.
If your site was built a few years ago, you may have been subject to vulnerabilities that you didn’t even know about. Maybe they were patched…or maybe not. Even if the issue has been fixed, your site may well have been exposed for a period of time until you installed a patch or removed an item altogether. What happened in the time between? You may not find out for quite awhile.
For example, while sifting through that troubled site I mentioned earlier, malicious files were found in the /wp-includes/ directory. Each were .php files that mimicked the name and modified date of other legitimate files in that directory. Now, it’s possible that the files were somehow backdated to make it look like they had been there all along. But taking it at face value, it would seem that we had a case of dormant malware. Much like a computer virus that delivers some payload on a specific date and time, this malicious code may have “received the call” to go into action.
The point is that just potentially having the wrong plugin installed at the wrong time can give you headaches well into the future. Staying updated is a great strategy, but it’s not foolproof. Just seeing the handful of plugins intentionally distributing malicious code recently shows that you’re in a catch-22.
An Ever-Changing Landscape
If asked, I think that many of us would say that we’re better at our job now than we were even a few years ago. We learn, evolve and apply that new knowledge to our work. As such, our choices when building a website evolve as well. The tools and techniques we use are rarely the same year after year.
WordPress and its ecosystem go through this same process – but at a much faster pace. Yesterday’s must-have plugin can turn to dust tomorrow. A single clunky update can send users away in droves.
So a site you built a few years ago and handed off to a client could well be running plugins you wouldn’t think of using today. As the old saying goes: “Out of sight, out of mind.”
It takes some measure of vigilance to ensure that you’re not only using the latest versions, but also replacing items that are no longer the best choice. Unfortunately, that type of constant attention isn’t always practical for many designers. We don’t always have the time and clients don’t always have the budget to devote to this. Not to mention the fact that replacing a plugin can be a pretty big undertaking in some cases. A theme can be even more difficult.
In reality, the whole thing is like a giant game of whack-a-mole. Sometimes it seems like your only defense is to stand at-the-ready with mallet in hand, ready to smack the next critter that pops up. There’s got to be a better way.
What More Can We Do?
So we regularly apply updates and put extra security measures in place. We use strong passwords and try to make unauthorized access of our site as difficult as possible. Yet, we still face constant attacks – some of which get through.
I admit that I’m not the foremost expert on security. But I do have some thoughts on further steps we can take to keep our sites clean of malware and the like. Maybe some are a bit harebrained, but my hope is to spark discussion as opposed to saving all of mankind.
This is something we can routinely do ourselves and actually charge clients for. The idea is to routinely (maybe 2-3 times per year) look at which plugins are installed and weed out the potentially problematic ones. Look for plugins that are considered abandoned (with no updates for at least two years) or removed from the WordPress Plugin Repository altogether. Then, make replacements when necessary.
Access to Better Information
Even better would be a large-scale service that keeps us informed as to which plugins are old/malicious/removed. Developers and site owners could greatly benefit from having this kind of resource at our fingertips. Just knowing what’s happening within the WordPress ecosystem can help us avoid further problems.
Make Wiser Decisions
We often make what we feel are the best decisions at that particular time. But we can do better. For instance, choosing a plugin is often about finding the quickest solution to a problem. But the quickest solution isn’t always the best one. Vetting plugins for their quality should be equally as important as their functionality. We won’t always get it right, but looking at changelogs and support forums can be a big help in making decisions.
Understand the Game
When we launch a freshly-built site, that doesn’t mean that our work has ended. To keep things secure, we must continue to pay attention to what’s going on. Part of that may be using automated security plugins that email us when something’s wrong. But it’s also about manually taking a look around every once in awhile. Review the WordPress dashboard and also look through the site’s file structure to search for anything suspicious.
I’d like to think that most web hosts make security a top priority. But that doesn’t mean there isn’t room for improvement. From my own experience, it seems like hosts are often reactive to issues after they’ve occurred. I believe we could benefit from hosts that are more proactive in their approach to security. For example, alerting clients to information regarding the latest security threats and how to harden your site against them.
Lastly, it’s important to train clients on the do’s and don’ts of WordPress. If they access the back end of the site, they should know the potential risks of installing plugins or giving their account information to others. They have a big role to play in keeping their own site safe and sound.
Always a Target
WordPress is so widely-used that it’s no wonder as to why it has become a target for hackers. Unfortunately, this is something that comes along with all of that great success.
Because of that, we all need to level up when it comes to our security practices. Ideally, that means regular site checkups and, most importantly, access to critical information. Knowledge is the key to any challenge. Without it, we’ll be forever stuck playing that carnival game.
- How to Add Two-Factor Authentication to WordPress
- Building WordPress Websites That Better Respect User Privacy
- 10 Best Free Security Plugins for WordPress
- 5 Tips for a More Secure WordPress Website
- The Responsibilities of a WordPress Plugin Developer
- Standing Tall in the Face of Recent WordPress Security Scares
- Free WordPress Security E-Book Available from Code Poet: Locking Down WordPress
- The Gutenberg WordPress Block Editor: The First Year