Company after company has been in the news lately reporting data breaches. But for every large corporate site compromised, there are thousands of smaller ones that don’t make newspaper headlines. Here’s how to manage cybersecurity risks in WordPress—without needing a degree in computer engineering.
Why You Need to be Concerned About Cybersecurity
If you have a small blog or company, you might think that you aren’t a target for computer hackers. “It’s easy for us to think that attackers want to go after specific sites—big news or government organizations, people that process lots of payment, etc.—and won’t care about our little site,” says David Hayes, editor of WPShout and author of WordPress Security with Confidence.
But Aaron Campbell, WordPress Security Team Lead, warns that you should never think that you won’t be hacked just because you are a small site or don’t take payments or collect personal data. “The vast majority of compromised sites were not specifically targeted by a hacker,” Campbell explains. “Instead, they’re compromised by bots—scripts written by hackers that crawl the web looking for any site with a vulnerability that it is capable of exploiting—which are completely indiscriminate.” This means that anyone with a website is a potential target.
Why are hackers so unconcerned about the value of the sites they are attacking? Hayes puts it simply: “A WordPress site added to a botnet makes it more powerful, whatever its size or Google ranking.” Each computer that is added to a hacker’s botnet makes it more effective at conducting denial of service attacks, or provides more power for another current favorite hacker activity—mining cryptocurrency.
Basic WordPress Security Techniques
All of this sounds scary — like a hack on your site is inevitable. But Campbell says there are solutions at hand. “The good news though is that bots are only as creative as they were programmed to be, and we can protect our sites if we work at it. Complacency definitely increases your risk.”
Can a blogger who knows more about crafts than computers go toe-to-toe with experienced computer hackers in the war to keep a blog secure—and win? Campbell assures me that it can be done—with diligent effort. “I definitely think that most people can do it themselves. You have to be willing to put in a little effort and possibly invest a little money, but doing that to prevent a compromise will save both time and money, compared to having to clean up after one.”
First, there are two critical (and simple) steps that any site owner can take that will protect against a significant portion of cybersecurity threats:
Promptly installing new updates to the WordPress core and plug-ins whenever they are released patches known security problems and prevents them from being exploited. The WordPress core security team has about 40 people working to keep the software secure and, as Campbell says, “If you don’t update, then you’re not benefiting from the work all those people are putting in.”
Strengthen Your Passwords
Weak passwords are like setting out the welcome mat for hackers. Explains Hayes, “One of the easiest attacks a botnet can execute is a login attempt.” Even if you’ve made an effort to have a secure password, you might be surprised to find that it isn’t as strong as you think. Campbell has a simple test for the security of a password: “If you can remember your password, it’s not a good one.” He recommends passwords be at least 20 truly random characters long, and suggests using a password manager like LastPass or 1Password to keep track of them.
Don’t Forget to Back Up Your Website!
Unfortunately, even the best cybersecurity measures are not foolproof. Backing up is like buying fire insurance for a website—it can help you rebuild when your security fails and a hacker burns your site to the ground.
If your webhost is running regular backups or you have a backup plug-in running, you may think that you are protected by that backup, but the official WordPress codex—the support documentation from the developers that create WordPress—suggests that sites have three different backups stored in three separate physical locations.
You don’t just need backups in different places. You also need backups saved at different times, so you can restore your site back to before the time it was hacked. “If I know I have copies of my site from the entire last week—a true ‘rolling backup’, which many backup services and plugins provide—and I know I was compromised on Wednesday and the attack deleted all my data, I’m still OK, because I have a backup,” Hayes explains.
Three different places and multiple days sounds like a lot of backups! Here’s an outline of three options, that when combined, will set it up without a lot of effort or expense.
Web Host Backup Service
Most reputable web hosts do back up servers regularly. (Some offer backup service as an additional service for a fee.) Ensure your host is backing up your site regularly, and check that the backup files that are generated are not being saved onto the same server with your site.
Regularly run a database backup and download and store a copy of your site on your local computer. Most web hosts have tools installed that allow you to do this fairly easily, although the tools available vary from host to host. Be sure to include in your backup all of the necessary files for your site, such as the WordPress core, themes & plug-ins, images, and other files that you’ve uploaded.
Several commercial plug-ins are available that offer the ability to automatically back up a WordPress installation. These plug-ins upload site changes at set intervals—daily, weekly, or even immediately—to the plug-in service’s cloud server for safekeeping. The most popular options, VaultPress and BackupBuddy, will cost you about the equivalent of a cup of coffee per month.
Above all, Campbell says, “Think about security regularly. You don’t need to become paranoid, but always think ‘how can I make it harder for my site to be compromised’.” WordPress security is a journey, not a destination. And with a little work and the right tools, you can avoid an unwanted detour.