Looking after a WordPress website is about more than just finding somewhere to host it. Like a car, a website needs to be maintained and cared for if you want it to keep running. But what does that involve, exactly?
Outdated software is the number one reason WordPress sites get hacked, but if you don’t know much about WordPress, how can you tell if you’re up to date?
There’s no need to track down your developer and ask, or go and look through code. All you have to do is visit the Sucuri website, type in your web address and you can find out straight away.
The tool doesn’t just test WordPress websites, it checks whatever you have, as other systems like Joomla! can also be vulnerable, especially if out of date.
We have written several times before about how out of date WordPress software and plug ins can make your site vulnerable to all kinds of hacking nastiness, including pharma hacks, malware or complete loss of your website.
Google blacklists (on average) 10,000 websites per day, many of which will be hacked WordPress sites. If your software is out of date and your site hasn’t been attacked, you’re not safe, you’re lucky.
90 per cent of hacks are opportunistic and automated. Hackers run automatic programmes that try known weaknesses on thousands of sites at a time and if they get in, there goes your website.
If you’re not up to date, it’s not a question of whether, but when.
Test your WordPress site now
Follow this link to the Sucuri website and test your own site by putting the domain name into the box. The link opens in a new tab and you can return to this page afterwards.
If you get the all clear, then great.
If your site is vulnerable
If your site is marked as vulnerable through out of date WordPress, then do yourself a favour and come and talk to us. We can put it right for the price of an hour or two’s work.
We can also check over your site’s security and other common ways in, such as insecure usernames and passwords, the second most common reason for hacks.
WordPress is not the problem
WordPress is popular – it’s now 20 per cent of websites – and that’s what makes it a target for hackers who know some people will always leave their websites to go out of date, often because they don’t know any better.
As it happens the WordPress development team works hard to ensure the software is as secure as it can be, which is one reason why it is updated relatively often.
It could be argued they are getting better and better at it.
Last week the latest version of WordPress – 3.7 – came out and includes the ability to do security updates automatically, which is a big step forward. But there are still lots of sites that are running old and vulnerable versions, just sitting there waiting to be hacked.
Don’t let that happen to your website. Check your site now!
As I write this, hosting companies all over the World are fighting off a huge attack on WordPress websites that has been going on for at least 24 hours.
Our sites were hit for about 20 minutes yesterday afternoon, but thankfully our hosting company has a solution so all our customer websites have been safe today.
How are the attacks happening?
Basically, the attacks are being conducted by an army of computers infected by a virus, known as a botnet.
They are simultaneously hitting thousands of WordPress login pages and trying to guess the password to get into the sites.
It also is cycling through various obvious usernames but most of all trying the default ‘admin’ username.[caption id="attachment_1176" align="alignright" width="375"] Is Hacker Barbie responsible for the attacks?[/caption]
This is called a brute force login attack, and an estimated 90,000 IP addresses are involved.
What they will do if and when they actually get in to websites is not known, but we’d expect the usual nasty surprises you get with a hacked WordPress site.
But a by product is this attack is slowing down websites all over the world, whether or not they use WordPress, as most websites are on shared hosting, and as the most popular content management system in the world, most websites are bound to be sharing a server with WordPress sites.
The repeated attacks basically cause everything to slow down.
If you are one of our customers and you want to get into the back end of your site you may see a password prompt screen you have not seen before.
This is an extra layer of security placed by our hosting company.
The box says: “A username and password are being requested by http://www.your-site.co.uk. The site says: “Automatic Protection” It now gives the username and password you need.
For current status visit our system status page. Once you have entered these details you can log in as you normally would.
If you have access to the admin area of your site make sure you have a secure password.
Minimum password recommendations:
- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers and special characters, such as punctuation or other non-alphanumeric characters
Example weak password:
Improved strong password:
In the meantime we are watching the situation closely and will implement any suggested security improvements across our customer websites as part of our normal service.
Is Wordpress not secure?
WordPress is fine but this attack tries to exploit the weakest link in any security system: The human factor.
If your site has secure username and password then it will not fall victim to this attack. We never use the default ‘admin’ account in WordPress, and delete it where we come across it in WordPress installs done by anyone else.
The rest is down to our hosting company who have added the extra layer of security to prevent unauthorised access to the login pages in the first place and making sure all our sites stay live.
WordPress is popular, and therefore it is a target for attacks like this. That’s why it is vitally important that you keep your Wordpress version and any plugins up to date.
The problem is not confined to WordPress as there are literally millions of Joomla websites on out of date versions that are just waiting to be hacked, too.
Silicon Republic: Major brute force attack against WordPress Under Way (Note: The Limit Login plugin suggested will not prevent these attacks because they come from multiple IP addresses).
Matt Mullenweg (WordPress co-founder): Passwords and brute force
Recently we’ve been asked to look at a few sites built in WordPress, and have been surprised to find the software is years – yes, years – out of date.
Allowing your WordPress website to drift like this is a bad move that can leave your site open to hackers who could bring it down or worse.
Your site could be taken off search results, your reputation could be damaged but most of all it will take a lot of time to clean up the mess.
Wordpress is the most popular website platform in most of the world with good reason.
It’s free for a start, but also it can be extended with the help of plug ins, which allow custom functions like photo galleries or forums – just about anything you want.[caption id="attachment_526" align="alignright" width="300"] WordPress gives you plenty of warnings about updates to itself and its plug ins[/caption]
Another reason for its success is that WordPress is constantly moving forward, with a new version featuring improvements released every three to four months – the latest (3.5) was just last week – and sub versions to fix bugs and security issues in between.
Every major update also means the plug ins have to change, too.
That popularity means lots of people who like to hack websites devote a lot of time to finding holes in WordPress. Hackers share information and once they find a hole they will tell lots of other hackers.
When this has happened in the past the WordPress community has been quick to close the security hole by rolling out a new update that fixes the problem.
Asking for trouble
But if you don’t apply the update your site is basically sitting there waiting to be hacked. And the hackers will be looking for you.
Now we are not trying to scare you, or put you off using Wordpress, but if you or your web designer ignore this aspect of using WordPress then you are asking for trouble.
Wordpress itself does its best to warn users of new versions, but it’s amazing how many people ignore the warnings.
Even Google started warning website owners if they were running out of date Wordpress versions, and there were plenty of examples of people being caught out who should have known better.
For example the Reuters blog, which was hacked earlier this year and found to be running a version of WordPress that was two years out of date.
The result: Your website can be home to nasty software, advertising dodgy online drugs, hosting one of those fake banking/phishing sites or just taken over by someone else. In most cases you may not even know anything is wrong.
This can get your website blacklisted and removed from search results and the damage to your reputation can be immense.[caption id="attachment_527" align="alignright" width="197"] That’s a lot of out of date plug ins[/caption]
Sometimes the fault here lies with web companies themselves who sell a website to a customer but don’t explain that the software it runs on must be kept up to date.
One company we know of even told a customer to ignore the prompts to update the plug ins and Wordpress version – and warned them that if they updated and things went wrong they would be on their own.
In this case it seems the web company involved simply didn’t understand how to keep WordPress up to date – or the importance of doing so.
A Stitch in Time Saves Nine
Some customers are put off by the idea their website will need to be maintained that there will be a small cost associated with this but skipping this is a false economy.
After all doing the necessary back-ups and keeping everything up to date is a finite task that shouldn’t take long if done regularly.
Fixing a hacked website can be a long and involved process that could cost a lot – in time and money – to put right.
Or to put it another way, keeping Wordpress and your plug-ins up to date is the equivalent of taking your vitamins, but putting a hack attack right is open heart surgery.
Ask your web company
So if you already have a WordPress site find out what your web company is doing about back-ups and software updates. If you look after your own site then don’t ignore the warnings.
And if you’re thinking about having a WordPress site built for you, ask your web company what they are going to do about updating it and its plug-ins. If they don’t have an answer, then you might be better going somewhere else.
Otherwise there could be a lot of time and expense waiting for you down the road.
How to Keep WordPress Secure by Matt Mullenweg, co-founding developer of WordPress