Today there are about 60 million WordPress websites. WordPress commands a 60% market share of all content management systems crushing their 5 competitors who combined have a market share of 16% (Joomla, Drupal, Shopify, Wix, and Squarespace).
As with Windows (with a 78% desktop OS market share), this popularity comes with a price. Those zombie computers across the interwebs are searching for vulnerabilities day and night. It isn’t even hackers anymore. Hacking these days is set on autopilot.
Table of Contents
What you need to know about WordPress security.
WordPress’s most popular feature is also a big liability.
Having such a big target on WordPress’s back is exacerbated by one glaring issue in its platform: the use of 3rd party plugins.
Plugins, in my opinion, are both the best and worst part of the platform only because of stability and security issues.
However, the security threats can be mitigated by having a well thought out strategy to monitor and update your plugins weekly.
As of September 2019, there are 55,133 WordPress plugins available in the market. According to this report published by Imperva, only 3% of these plugins were added in the year 2018. This means the vast majority of plugins are old and most have not been updated in years (or ever).
The older your WordPress website the more likely you have a security vulnerability.
In fact, 70% of all WordPress websites are vulnerable right now. A plugin becomes insecure when a vulnerability is found within code it is written in (PHP). New versions of PHP are being released every year and the plugins fall behind in their security.
This isn’t just an issue with WordPress. All code must be monitored and updated in order for it to be secure. It just so happens that WordPress is the #1 target so we must take extra care.
Every week we receive notices of vulnerabilities found in new plugins. For example, Forbes released an article in August 2019 titled Critical ‘Backdoor Attack’ Warning Issued For 60 Million WordPress Users
Another one just today (9/19/2019) exposed a vulnerability in a piece of software installed on tens of millions of WordPress installations.
That’s all and good, but how can I protect myself?
When it comes to WordPress security, you have to be proactive. Such measures include:
Backup your site regularly.
The worst possible thing that could happen to your website is a deletion without a backup.
I receive a call about once a month from a potential client whose website has gone completely down. Sadly, about 25% of them do not have a backup.
The first thing we do as a company when taking on a new client is reviewing their backup system. We must have a daily backup in case we need to restore the website.
Don’t get yourself into the scramble of having a hacked website with no backup.
There are three crucial aspects of your backups.
- Off-site backup: You should have your site’s backup stored in an external service such as Google Drive or Dropbox. Just in case your service provider does not ensure the recovery of your site, this off-site backup will come to your rescue!
- Regular schedule: A regular schedule for updating your site should be followed depending on the scale of your business. A small business’s website needs to be updated less often as compared to a large corporation’s site.
- Encrypted: If you store customer information we recommend a solution that encrypts your site’s data
Keep your website’s security high.
As a business owner, it should be your utmost priority to keep your website safe and secure. No matter which hosting company you opt for and how much security it guarantees you, the ultimate burden of the security of your site rests on your shoulders.
First and foremost, you should install a security plugin such as WordFence. It will help you in making your site safe and secure.
Second, if you are outsourcing your website development, make sure that you keep control of password management in your hands. If anyone other than you want to access your site, make sure that they have different login credentials that can be deactivated by you anytime you want to.
Third, make sure the user “admin” does not exist on your website.
These are just the basics but they will get you started.
Make sure that your website is well-maintained
Your WordPress site like ar car. If you want it to function well, you have to take care of it. This requires time every week and it is worth it. Protecting yourself by routine maintenance is always many times less expensive than a cleanup job.
As part of your website’s regular maintenance, you should take care of the following items:
- WordPress updates: Every now and then, WordPress itself releases an update to its software. Be sure to check for and apply these changes once a week.
- Plugin updates: Whatever plugins you are using, do not forget to check their updates every week. Make sure you enable all the available updates to keep your website secure.
- Check backups: Double check whether your backups are being stored to an external location or not. If they are not getting stored, this is a serious security breach. You should fix it as soon as possible.
- Run a security scan on your plugins once a week using a program such as WordFence.
Choose a reliable web hosting service for your website
When it comes to web hosting, numerous options are available and they come down to 2 types: shared and managed.
Shared hosting is absolutely the cheaper option, but you end up paying for it in the end with the degradation of performance, security, uptime. This is because thousands of websites can be located on a single server. If anything goes wrong with any of the sites on the server, your site could suffer too. This causes the websites to load at a snails pace and it is common to have mail deliverability issues from the website as they share the same IP address.
We believe so strongly in the benefits of managed hosting that we do not work with clients that are on shared hosting.
We feel that shared hosting is expecting someone to be a stellar runner when all you feed them is junk food.
I know that businesses are always looking out for ways to save money, but trust me, this is the last thing you should be saving out money on.
Can’t I just take care of my WordPress security myself?
You can, but we don’t recommend it.
A plumber is skilled in changing faulty pipes. A chef is proficient in cooking. An architect is adept at sketching building structures. Likewise, you are good at managing your business. Instead of focusing on your core business, if you will start looking after your website, you will need to become an expert at this or items will slip through the cracks.
You have a business to run and outsourcing items like this allows you to focus on working on your business and not “in it”.
However, if you do go with the DIY approach be sure to have a schedule for your plugin updates, security scans, 24/7 monitoring, and daily backups and follow the above recommendations.
If you are looking for a rock-solid host, we highly recommend Kinsta.
If you get stuck and are looking for a company to take care of your security and hosting (we also use Kinsta), then check out our Care Plans.