Wellness for WordPress.
Increasing attacks on the much loved Internet CMS requires we take action.
Each of us likely has a WordPress site—or helps a client with one. To manage any open source web platform requires maintenance and the rapid escalation of hacks and intrusion on the platform requires that we take measures to keep the site current and free from intrusion.
Eric Needle, is the Founder of Longbow.net and was Marketing Director for Artemis IT, Brevard County’s most respected IT Company for over three years. He will share vital information on the latest security concerns and solutions for WordPress.
It is widely reported that there is an enormous increase in attacks that compromise this leading open source platform, from thousands of attempts to gain access via your login, to malicious code being injected, to losing customer data and confidence. The scale of these assaults demand better oversight and web management.
If you build sites for clients and do not have a contingency plan to deal with security and maintenance, then your agency is setting yourself up for failure.
Longbow has given talks on shoring up your sites. In the past, we’ve shown live attacks on several sites, discuss the problems we all face and then offer several things that can be done to protect a WordPress website. If you’ve never thought about disaster recovery, “what do I do when my site’s been hijacked,” then this message is a wake-up call.
Eric Needle has been designing and building the World Wide Web since 1994—and devloping sites with WordPress for since 2004. Contact us if you need help securing and protecting your Internet properties.
Contact us for an initial consult.
Steps to Protect your WordPress
We’ve identified three basic areas to be concerned with, from the Admin side of the platform, to keep your sites functioning. They include tasks you perform for prevention, keeping WordPress and it’s plugins current, and robust backup and recovery. This assumes that your hosting platform is secure—something we should not take for granted.
The first critical step is hardening your site to create as little opportunity for hacking or unwanted intrusion. There are several guides and plugins that help you accomplish this and we’ve been running several to test overall effectiveness.
I actually run several sites that serve as test beds and with WordPress Security on our minds, the role of many of these sites have shifted from SEO and marketing exercise to canaries in the coal mine.
For starters, here is a great primer, and evolving source of info.
There are several plug-ins, all available from the Admin. One’s we like include Brute Protect, Sucuri, WordFence, and iThemes Security. As new tools become available, we suggest you become familiar with this rapidly changing side of the web world.
The basic concept is to manage file permissions, so we don’t leave the door open to attack. Several of the above mentioned plugins include checklists that explain each procedure and it’s value.
Step two is the continual updating of both the WordPress platform and all the plugins you are running. While this seems a simple task, the frequency of updates has been increasing dramatically. When the core team discovers an exploit, they rush to patch the issue and correct it.
These updates often have to be performed manually—and we always perform a database export (backup) before we click, update. Not to be taken lightly, I’ve had updates break functionality, resulting in more work for our team.
We’ve been building sites with a new focus on plugins. If we can provide the feature without a plugin, we will. Minimize how many you run, as each is a weak link that could provide a way into your site.
Backup and Recovery
As we finally came to the conclusion that it is not possible to protect from every attack, the third item on our list asks, “how do we recover after an attack?” The answer, at the Admin level, is to backup and restore. Setting up backups are critical. Often hacks go undetected for months, so it’s good practice to create many restore points.
While our host can perform this for us, they can often take hours, especially if we ask them to review the hack. Being able to restore from a previous backup allows us to quickly set things right. But don’t forget to perform corrections afterwards.
We have been freaking out over the past three years from these threats to our sites. Our response is to perform these three core actions for every site. Even as I write this we are building a new server system, with a host that is more current than our current one. To deliver web services, we as developers and deisgners have to take on this added role, else our clients find others who will.
If anyone needs help, just contact us for more information. We provide white labeled hosting to our partners and incredible TLC for our clients.
And if you Ad Fed club is looking for a speaker on this topic, Eric and team are available to speak. Our talk includes watching our test sites suffer brute force attacks in real time. Something all too common.