Top WordPress Website Security Tips

How to Prevent Hackers from Entering Via Biggest Risk: Your Plugins

hacked_website_how_compromised

Although most website owners and managers who have had the unfortunate experience of being hacked don’t actually know HOW their site was compromised–of those who do, over 50% know it was from a plugin.

Does that mean that you should not use plugins on your website? Of course not, they are part of the beauty of WordPress websites. Plugins add specific functions to our websites without the website owner having to know a whole bunch of code.

Plugins play a big part in making WordPress as popular as it is today. As of this writing there are 43,719 plugins available for download in the official WordPress plugin directory. That is an incredible selection of plug and play software. But you obviously need to be careful with them, as plugin vulnerabilities represented 55.9% of the known entry points reported by respondents.

How do you take advantage of plugins while simultaneously being smart about your WordPress website security?

Keep Plugins Current

We know it can seem like a hassle when you have to update your plugins all the time. But that hassle is so minor compared to the hassle of getting hacked–cleaning up your website, lost time, lost revenue, lost clients, lost business potential. It is definitely worth it.

So when you get a notice that your plugin has an update available, it is a good idea to update. (We do recommend making regular backups of your website as well. Your plugin update may not work with your existing theme, for example. So you want to have a recent backup before you update plugins.)

Get Rid of Abandoned Plugins

If you have a plugin that has not been updated in at least 6 months you should seriously consider a different plugin. This is generally a sign that the developer is no longer supporting the plugin, otherwise known as having abandoned it. That means no one is looking our for your WordPress website security at all. A perfect way for a hacker to get in.

Less is More

Use as few plugins as you can to get the job done. If you have deactivated the plugin, take it off your site. If you don’t need it, don’t upload it–or get rid of it.

Use Reliable Plugins

Many plugins are available from the official WordPress site, but not all are. Don’t let a hacker trick you into loading an open doorway for them to get into your store.

How do you know if a site is reputable or not? Here are the suggestions from Wordfence, the WordPress website security software that we use and recommend.

  • Eye Test – Is the site itself professionally designed and uses clear language to describe the product? Or does it look like it was thrown together quickly by a single individual?

  • Company Information – Does the site belong to a company with the company name in the footer?

  • TOS and Privacy Policy – Do they have terms of service and a privacy policy?

  • Contact Info – Do they provide a physical contact address on the contact page or in their terms of service?

  • Domain Search – Google the domain name in quotes e.g. “example.com”. Do you find any reports of malicious activity. Add the word ‘theme’ or ‘plugin’ next to the quoted domain name in your search and see what that reveals.

  • Name Search – Do a Google search for the name of the plugin and see if any malicious activity is reported. Add the phrase “malware” or “spyware” to the search which may reveal forums discussing a malicious version of the theme being distributed.

  • Vulnerability Search – Do a search for the theme or plugin name or the vendor name and include the word “vulnerability”. This will help you find out if any vulnerabilities have been reported for the product you’re interested in or for the vendor. If they have fixed the vulnerability in a timely manner, that usually indicates they are a responsible vendor who is actively maintaining their product when problems arise.

Plugins are certainly not the only source of hacking. In order to protect your website and maintain a level of internet security here are some additional pointers:

Select your usernames and passwords with care. Make them unique and different: don’t use the same one for all your sites, make them hard for someone to guess.

Use some sort of website security. We use Wordfence, we appreciate the training and education they provide, along with common breaches to look out for. It is available in a free version and a paid version. The paid version doesn’t cost much and we find that it saves us enough time that it is worth it–but start with the free account if you want to try it out.

There are other options out there as well, so whether you use Wordfence or another product–protect your internet asset one way or another. We don’t get paid for recommending them, it is just who we use.


Thanks to our friends at WordFence for the original article, which can be read on their blog here. The graphic is from the same article.

Not All Website Traffic is Good

In the world of internet advertising, marketers often look at website traffic as an indication that their work is successful.

black-cars

It may seem like the more traffic that is coming to your website the better, right?

Not necessarily.

Think about it like you would your brick and mortar store. You certainly want more “boots in the door” as one client puts it. But you want more than that as a business owner. You want people who will actually buy your products or pay for your services.

That doesn’t mean that every person who comes in the door has to buy something on the spot or you will kick them to the curb! Depending on your business you may actually have plenty of activity that does not, in that moment at least, seem to generate income.

Potential customers may browse through your shop and not buy now. For some, they look around and learn that your store does not fit their needs or style. Others like it, but don’t see anything right at this moment–but they probably will come back.

You may be a service business and provide free consultations. Perhaps you have a business where you offer free samples. These are types of advertising where you spend your time and/or money/goods in the hopes that you will get some customers. You know that your will not convert all of these trials into clients or customers, but if you are doing it right you will get more than enough to make this a great way of getting new business.

Now apply this logic to your website traffic. You may offer products for sale directly on your website, you may provide information that potential customers “consume” online as a way to get to know you (“a sample”), or your website may allow them to book an appointment, reach you by phone, etc.

These are all great forms of traffic. Some may convert to paying customers. Some will not. Just like the storefront example, there will be potential customers who decide that you are not a good fit for their current needs. That is OK. You don’t want or need every single human being on the face of the planet to be your customer. You want the RIGHT customers.

So when is website traffic NOT good traffic?

Let’s look at the storefront example again. Do you want to have a bunch of people who have absolutely no intention of buying your products or services loitering about, making it hard for your ideal customer to get through the door? Nope, you don’t. Do you want people coming in who are going to steal from you? Of course not.

You may not have a problem with too many people loitering around your site in cyber-space, but we can have problems with people trying to “break in” to our sites. These hackers may try to get in through the front door or they may use sophisticated code to try to come into your site through the backdoor.

Just as you might have security cameras to monitor and safeguard your physical doors, you will want to safeguard your cyber-doors as well.

Hackers will try to break into sites for many reasons. Sometimes it will be to try to get sensitive data. But just because you don’t collect information or accept payment on your website don’t think that you are uninteresting to cyber-thieves.

Be sure that your webmaster is keeping your website protected. The last thing you want to have happen is to look at your website and discover that it has been hacked. Best case scenario it is merely inconvenient–an inconvenience that takes time and money to fix. Something you just don’t need when you are trying to run a business.