Using WordPress: many rewards, but a few risks
WordPress was born to serve bloggers and it has certainly served them honorably. But since the open-source software was launched in 2003, it has evolved into a fabulously functional platform that supports 40% of all websites worldwide. Simple enough for beginners, it also offers a wealth of features, from award-worthy graphic design to e-commerce tools. And new plugins are added, seemingly daily, by creative contributors.
The platform is not without its faults, of course. In the tech world, nothing is perfect. If your online home stands on a WordPress foundation—or frankly, any other platform—security should be one of your utmost concerns. Cybercriminals, whether they’re motivated by profit or pure meanness, are ingenious. And they’re everywhere. In 2021, the US Department of Homeland Security alone requested $2.6 billion for cybersecurity spending. Microsoft spends about $1 billion. At home, consumers are downloading password managers, installing VPNs, paying for identity theft protection, and taking cybersecurity more seriously than ever before. Then there are the millions of people who’ve already been victimized and are now paying lawyers and credit repair companies to undo the damage.
How well does WordPress protect you against cyberattacks? Let’s take a look at how the platform stacks up against similar products and how you can minimize risk if you decide to build your site using this powerful tool.
Reported WordPress vulnerabilities
We give WordPress a lot of credit for transparency. Platform leaders across the globe are quick to report on cyber safety issues. Whole organizations are devoted to studying WordPress vulnerabilities in detail and minions of staunch developer/advocates work diligently to fix security problems as they’re discovered. Still, WordPress sites are hacked by the thousands every year. That makes a certain amount of sense, of course, considering the platform’s market permeation. But that doesn’t make the devastating losses businesses suffer sting any less.
In 2020, a coordinated attack that affected some 2000 WordPress sites made headlines. Discovered by Sucuri, a company that offers a range of monitoring and website security products, the assault drove WordPress users to scam sites, fake surveys and giveaways, and bogus Adobe Flash downloads. Phishing scams are a popular attack strategy: cybercriminals send very official-looking but fake emails that appear to be sent by WordPress.org.
The attackers in the 2020 case targeted certain WordPress plugins. With new plugins being added all the time—there are more than 55,000 of them—sealing security cracks is a complex matter for developers. So yes, the functional rewards of working with constantly-updated open-source software do come with risk.
WordPress users have the power
If the ever-evolving cunning of cybercriminals and the sheer complexity of WordPress software leads you to believe you’re fighting a losing battle, there’s plenty of reason to take heart. Analysts who track WordPress vulnerabilities have found that, as is the case with security breaches of all kinds, the lion’s share of WordPress hacks are preventable. They can actually be traced to some of the most common mistakes users make when using all kinds of digital devices, websites, and virtual services. The good news is that many are easy fixes. And once you apply them across all your online activity, you’ll significantly lower your overall cybersecurity risk.
WordPress security checklist
1. Our first recommendation is about as basic as it gets. You need to practice good password hygiene. What does that amount to? Picking a complex password that bears no resemblance to anything else that identifies you, including your birthday, maiden name, address, or any of the other numbers and words people use to make passwords more memorable. It also means never reusing a password and changing all of yours every 30 days at a minimum. According to some estimates, a phenomenal 80% of all security breaches are caused by poor password hygiene practices. If all that updating sounds like a lot of work to you, you’re not alone. That’s why password managers were invented: to take all that drudgery off your hands.
You may also want to consider adding two-factor authentication (2FA) as an extra measure of security. A study by Microsoft concluded that 2FA prevented 99.9% of automated attacks. That’s pretty impressive and a good reason not to get all grumpy about spending the less-than-a-minute it takes to enter a 2FA code.
2. For a host of reasons, you can’t just set and forget a website. And security is one of them. Many WordPress updates are installed automatically. If you’ve already built a WordPress site, you likely receive a lot of notifications about this or that plugin having been updated behind the scenes. But some major changes, such as the launch of a new WordPress version, have to be manually installed. In a 2019 study, Sucuri found that nearly 49% of WordPress hacks occurred on sites that were not running the latest version of the core software.
You should also be aware that certain plugins, when not properly updated, wreaked more havoc than others. These include RevSlider (used to create animated, layered, and otherwise fancy slide shows), Gravity Form (for simple-to-install contact forms), and TimThumb (resizing images made easy). Sucuri reports that, of the hacked sites they studied, together these plugins were linked to 15% of breaches. It’s not that the plugins themselves are dangerous, per se. But neglecting to update them is. So if you’re using any of them on your site, be diligent about getting the latest versions. And only download plugins from reputable sources. Google around. Read the tech press and consumer reviews to make sure you’re connecting with companies that take your site’s security as seriously as you do.
3. The widest entryway cybercriminals waltz through to compromise WordPress installations isn’t the platform itself. It’s the hardware, software, and network you use to manage your site. If you’re the type of site owner that likes to fiddle with your site while sipping a latte at Starbucks, well…don’t. Bad actors like to lurk on unsecured networks looking for their next opportunity. But if you must, there are a few steps you can take to mitigate your risk. First, protect your site with either an SSL or TLS certificate, which serves to encrypt the data that flows between you and site. You don’t just owe it to yourself. You owe it to your website visitors and, frankly, many won’t patronize a site that doesn’t have an HTTPS at the front of its URL. Free SSL certificates are included by many web hosting companies in their service packages. Installing a VPN on your devices can also decrease your vulnerability on unsecured networks by adding another strong layer of encryption to your data transmissions.
Get a security boost through Managed WordPress
Whether you’re a blogger-in-the-basement sharing your passion for pets or a small business owner who doesn’t have the budget to hire a cybersecurity officer, keeping your site safe—on top of keeping it fresh and functioning properly—can seem like too tall a task. But fortunately, you have options. Partnering with a managed WordPress service provider like EasyWP can take the burden of maintaining security off your back. EasyWP sweetens the pot with phenomenal uptime statistics, a lightning-fast way to get your site up and running, free SSL certificates, 24/7 customer support, and more, all at a price virtually anyone can afford. You can even try it for free. No credit card is required, so there’s no risk. If only we could say the same thing about the internet.
Susan Doktor is a journalist, business strategist, and principal at Branddoktor. She writes about a wide range of topics, including technology, finance, and marketing. Follow her on Twitter @branddoktor.