Managing security for your business’ WordPress website: A guide for website owners and editors (Part 2)

Part 2 of this series looks a little more into a few other types of vulnerabilities and considerations for your website, and what you should be doing to help mitigate these risks. If you missed part 1, read it here.

Brute Force attacks

There’s not much to this type of attack, but it plays into the aforementioned regarding passwords and the need for additional layers of security on your site. Another common mistake users make is to simply use a really simple, unsafe, and easy to guess password such as “password123” (e.g. see Cash Crates’ data breach in 2018 where 86% of users were using passwords like this). Hackers then use scripts to blast your login forms with combinations of usernames and likely passwords (hence “brute force”), and can get in if a) they have a database of compromised email addresses, and/or b) you don’t have 2FA enabled.

What can you do?

Implement the password manager into your workflows, and enable 2FA. This will at least drastically decrease any chance of a hacker actually being able to get into your site this way. A plugin like WordFence (even the free version) also monitors this type of activity, and by default will even block IP addresses that are clearly attempting to use this type of exploit. The premium version offers more control and rules around this, so again we strongly recommend this for all WordPress site owners or managers. Note that this isn’t necessarily going to stop these types of attempted attacks, but they will more than likely prevent them from being successful and may even deter them.

Backups, hosting, updates

You backup your important photos and documents for redundancy, and your website should be no different at all. While we do housekeeping at our end and do backups for internal reasons, frequent backups can take time to set up automation, maintenance, housekeeping, and storage solutions. While we offer this to clients as an additional service in our monthly Service Agreements you should consider running backups yourself if you don’t get your agency to do this. Depending on where you’re hosted, this is sometimes partly managed by certain WordPress managed providers such as WP Engine or FlyWheel, but you should make sure that the backups are setup at a frequency that makes sense to your business – if you make weekly changes to your site, then your backups should be at a higher frequency in case you have to roll back to the last working version. You should also make sure that both the database and the files (all your images, videos etc.) are backed up, as backup solutions often default to just your database as it’s the smallest. Plugins like Updraft Plus allow for tailored control over your backups, and are especially useful for sending them directly to popular cloud-based storage solutions such as Google Drive, Dropbox etc.

Plugin and WordPress vulnerability

As part of our Service Agreements with our clients, we ensure that the core of WordPress is up to date, along with any of the plugins that your site may use. Out of date plugins pose big risks to your website as potential vulnerabilities that exist may not have been patched with recent updates, or the plugin simply may have been abandoned by the original developer and need to be replaced completely. WordPress itself also needs to be kept up to date to ensure you’re getting the most recent security and bug fixes. Unfortunately, this isn’t as simple just clicking an update button and hoping everything will work nicely after. Websites are built by your agency or developer, WordPress by others, and then every plugin is respectively created by different companies or developers – this creates a lot of potential for issues with compatibility and broken functionality.

As mentioned above, there are also WordPress-specific hosting providers that take care of several of these housekeeping elements for you such as backups and additional layers of security, and some even offer automation around updates. But there’s no perfect, hands-off approach to this. Human intervention is a necessity, unless you’re willing to let it all be done for you by their automated systems and hope that everything works and is compatible after updates. Even when discussing problems with these types of providers with automated options, Driven have been told that a human set of eyes needs to go over everything and check the site still functions as intended.

Disabled plugins, and other considerations

One of the other things we gained further insight into from our recent WordPress conference that the Driven team attended was that disabling an unused plugin isn’t enough to stop hackers from exploiting any existing vulnerabilities that they may have. We won’t go into detail as to how this occurs (it’s to do with SQL Injection if you’re really interested), but as a rule: if a plugin is no longer needed, don’t just disable it but instead ensure that it is removed from the backend of your site.

Another exploit that exists is basically like the phishing emails you may be familiar with in day to day life. To simplify it, if you ever get an email from someone asking you to log into your WordPress site to check a page or some content – don’t. It’s better to be safe and just go to the WordPress interface via your normal processes, and avoid clicking any links that get sent to you. They may appear to be legitimate, and the sender may even appear to be someone from your business or contacts. But as with phishing scams, hackers will try to direct you to official looking forms to then get your login details, and then use those to access your real website.

What you should be doing

There’s no silver bullet solution to fully cover your website perfectly, but instead it’s a series of important measures you can take to minimise the chances of your business being impacted by some form of compromise. This article highlights various things to be aware of, and steps you can take to avoid or minimise these risks. Implementing these in both your personal life and for your business and WordPress website, while adds a lot of extra steps, is extremely important. We’ve seen far too many cases of clients or other businesses who have pushed these to the side, and then are left in very difficult positions when the worst case scenario happens. If you’re a client of Driven, you can engage our team in a monthly Service Agreements where we make sure WordPress and your plugins are up to date and manually tested for compatibility and continued functionality, and backups are taken care of as well. When we have all these measures in place, it allows us much greater control over continual site safety, as well as redundancy measures and options in case something bad does in fact happen.

At the very least you should look at having a site audit and updates done as often as possible, which you can talk to the team about. Adding WordFence Premium and Updraft Plus is something we can help you do, and at least this takes care of some of the monitoring and security for you, letting you know when plugins are out of date or when attacks are potentially occurring, and having the backups available gives you some sort of foundation if your site is compromised.