What do I do now?
Increasing attacks on the much loved Internet CMS requires we take action. Each of us likely has a WordPress site—or helps a client with one. To manage any open source web platform requires maintenance. The rise and rapid escalation of hacks and intrusion on the platform requires that we take measures to keep our sites current and free from intrusion.
There has been an enormous increase in attacks that compromise WordPress, the leading open-source platform, from thousands of attempts to gain access via your login, to malicious code being injected, to losing customer data and confidence. The scale of these assaults demand better oversight and web management.
If you build sites for clients and do not have a contingency plan to deal with security and maintenance, then your agency is setting yourself up for failure.
Longbow helps you shore up your sites. In the past, we’ve shown live attacks on several sites, discuss the problems we all face and then offer several things that can be done to protect a WordPress website. If you’ve never thought about disaster recovery, “what do I do when my site’s been hijacked,” then this message is a wake-up call.
Eric Needle, Longbow’s founder, has been designing and building the World Wide Web since 1994—and developing sites with WordPress for since 2004. Contact us if you need help securing and protecting your Internet properties.
Security, Maintenance, Backup and Recovery
Need Help? Contact us.
Protect your WordPress
We’ve identified three basic areas to be concerned with, from the Admin side of the platform, to keep your sites functioning. They include tasks you perform for prevention, keeping WordPress and it’s plugins current, and robust backup and recovery. This assumes that your hosting platform is secure—something we should not take for granted.
Prevention
The first critical step is hardening your site to create as little opportunity for hacking or unwanted intrusion. There are several guides and plugins that help you accomplish this and we’ve been running several to test overall effectiveness.
We run several sites that serve as test beds and with WordPress Security on our minds, the role of many of these sites have shifted from SEO and marketing exercise to canaries in the coal mine.
For starters, here is a great primer, and evolving source of info.
codex.wordpress.org/Hardening_WordPress
There are several plug-ins, all available from the Admin. One’s we like include Sucuri, WordFence, and iThemes Security. As new tools become available, we suggest you become familiar with this rapidly changing side of the web world.
The basic concept is to manage file permissions, so we don’t leave the door open to attack. Several of the above mentioned plugins include checklists that explain each procedure and it’s value.
Keeping Current
Step two is the continual updating of both the WordPress platform and all the plugins you are running. While this seems a simple task, the frequency of updates has been increasing dramatically. When the core team discovers an exploit, they rush to patch the issue and correct it.
These updates often have to be performed manually—and we always perform a database export (backup) before we click, update. Not to be taken lightly, I’ve had updates break functionality, resulting in more work for our team.
We’ve been building sites with a new focus on plugins. If we can provide the feature without a plugin, we will. Minimize how many you run, as each is a weak link that could provide a way into your site.
SSL Certificates
Experts recommend using SSL certificates on your sites, especially if you use forms, download files, sell stuff—or basically run a WordPress. What do you get for the effort? Security. And you now operate your site, safely able to accept credit cards and sends email. In addition, we get a little lock icon in the address bar and better Google ranking.
Backup and Recovery
Last, but not least, we came to the conclusion that it is not possible to protect from every attack, you need to ask the question “how do we recover after an attack?” The answer, is to backup and restore your site. Setting up backups are critical. Often hacks go undetected for months, so it’s good practice to create many restore points. Being able to restore from a previous backup allows us to quickly set things right.
We have been freaking out over the past several years from these threats to our sites. Our response is to perform these three core actions for every site. Even as I write this we are building a new server system, with a host that is more current than our current one. To deliver web services, we as developers and designers have to take on this added role, else our clients find others who will.
If anyone needs help, just contact us for more information. We provide white labeled hosting to our partners and incredible TLC for our clients.
And if you Ad Fed club is looking for a speaker on this topic, Eric and team are available to speak. Our talk includes watching our test sites suffer brute force attacks in real time. Something all too common.