I’ve lost count of the number of times we’ve met new clients because their WordPress sites have gone down, in many respects it’s opened the door to some wonderful relationships and opportunities but does this mean that WordPress isn’t good?
No! WordPress is awesome and allows companies of all sizes to benefit from its powerful capabilities that are unmatched by any other CMS on the market.
So what’s the problem I hear you ask?
WordPress is a CMS but its functionality can be extended through the use of plugins and custom themes which can be installed at a click of a button from within its admin user interface. This clever functionality allows companies to bootstrap different types of business models outside of the CMS spectrum without any technical knowledge whatsoever.
What risks derive from Themes or Plugins:
Plugins can carry risks and vulnerabilities, not because the market place allows malicious code to be released to millions of unsuspecting users. It’s usually down to coding practices and loop holes overlooked by theme/plugin developers that can have a domino effect. When a vulnerability is exposed it’s quite a straight forward process to find thousands of other WordPress sites that are using the same plugin or theme, one popular technique hackers use is called “dorking”.
Risks associated with configuration:
Setting up a WordPress website is a piece of cake, it so easy just about anyone can create one without hiring developers. The problem in this scenario is due to ease of setup, the person who is installing WordPress may not have experience with basic security such as file permissions or web server configuration and as a result important, yet basic security is overlooked.
It’s fair to say this isn’t an isolated WordPress problem and virtually every application has the potential to succumb to the risk of being hacked if it’s not correctly configured. WordPress powers more than 75 million websites so it’s likely to get the brunt of bad press when it comes to websites being hacked despite the cause.
2. Keep your plugins and WordPress up to date.
3. When you install WordPress on to your server be sure to set the file and folder permissions correctly details of how to do this can be found on the Official WordPress Website.
4. Disabling directory listing is handled in web server configuration and its important that its enabled so that hackers can’t see the files or folders visible on your server.
TIP: To check if your web folders are exposed to the public simply open a web browser and type: http://yourwebsite.com/wp-content/uploads –try replacing “uploads” with “plugins” too. If your web browser shows you a list of files you should have someone look into it immediately.
5. Harden WordPress using .htaccess –If you’re wondering what this is don’t worry we’ve created a few .htaccess files that you can use to protect your WordPress site, click here to get them.
6. Installing an SSL certificate is pretty important these days, not just to protect your users and visitors to your website but because it contributes towards better search engine visibility as well.