I have been doing this for a while. In fact, I remember creating my first WordPress site for a client and glancing at the list of plugins in the dashboard and thinking “Akismet? Jetpack? Who needs that stuff?” And then a few years later I was pitching the idea of a WordPress site to a new client and he was skittish about using it and said he had heard it got hacked a lot. I told him not to worry, hackers would never bother his site if he kept it up to date and besides, I had never seen one of my clients’ sites get hacked.
And then, there was a couple of weeks this past summer where it felt like every time I tried to head to the beach I would have one foot out the door and get that phone call: “Help! My site won’t load/keeps showing links to porn sites/ triggered a Google malware alert! What do I do? Can you fix it??”
I would take a deep breath, put the beach bag back in the closet and then start doing the forensics to see what had happened.
Why Your Site Gets Hacked
You may think that your custom dog hair knitting blog is its own little island out in the world, but it’s still possible for hackers to find it and exploit it for their own nefarious purposes. Sometimes hackers using automated scripts or bots to crawl the web and look for sites that have plugins with known security holes. Once they have located your site, then they use that hole to inject malicious code.
For example, one of the sites I was asked to clean up this summer was a site built with Joomla. The previous developer had left a setting unchanged that allowed users to register themselves. Someone had located this vulnerability and created several authors that posted bogus content. The site’s owner never checked the site’s dashboard and didn’t know that her site was hosting dozens of articles with links to black-market pharmaceutical companies and other crap. Not good.
To add insult to injury, Google will notice if your site contains links to known malware sites and flag your website for malicious content. And, if that isn’t bad enough, some hosting companies will shut your site down completely if they detect perceived malicious files on your hosting account.
If you want to read more about the “why” of things, Sucuri.net’s blog has a great article on some of the various reasons sites get hacked. And if you really want to end up hiding in a bunker wearing a tin foil hat, check out Spam Nation by Brian Krebs.
So, Now That I’m Freaking Out, How Do I Keep My Site Safe from Hackers?
There are quite a few things one can do to keep it a web site secure. I tend to think of it as the “castle approach“.
1: Build It on a Hill
When people wanted to build a castle, the first thing they did was find some high ground. This would be your hosting company. Choose a company that offers things like domain registration protection, automated backups and Sitelock. Over the years I have seen a lot of clients learn the YGWYPF lesson. You Get What You Pay For. For example, I pay around $30 per month for my web hosting, but I am paying for some extra security practices that would cost a lot more if I purchased them all separately.
2: Invest in Your Outer Defenses
People built castles with multiple methods of defense. Attackers who made it across the moat, then had to deal with ramparts and curtain walls. Even if you feel like your hosting company is doing a pretty good job, it can still be worth the extra money to have a plugin as well as a third party service monitoring your site for brute force attacks and malware injections.
3: Maintain What’s Yours
Maintaining defenses is the key to keeping your castle safe. Good castellans made sure castle walls were secure and troops were well fed and equipped. In WordPress security terms this means making sure that everything on your site is kept up to date. News of a vulnerable plugin or WP core file travels fast and hackers love to scan the web looking for older versions of WordPress and other CMS systems to exploit.
This Sounds Like a Lot of Work, Do You Handle Site Maintenance?
Why yes! As a matter of fact I do!
Think of me as your personal WordPress castellan, ditcher and watchman. I can help you find the best set-up for your site so that your site stays fully backed up and secure. As a WordPress developer, I have subscriptions to security services such as Akismet and WP Manager and can offer a monthly maintenance fee that is less expensive than purchasing these services for a single site. Trust me, paying a monthly fee to protect your site’s defenses is a LOT less expensive than paying to repair your site after a hacker has gotten in!