There is a misconception that your sites won’t get hacked. Why would someone want to hack your site?
The answer is no one – no one is going to sit down and make a concerted effort to hack your website – unless you are Sony, Adidas, Apple, a bank or a similar big target.
So how do sites get hacked?
What is actually happening is automated bots are running across the web looking for vulnerable websites using a list of known WordPress vulnerabilities. It will also be looking for any known vulnerabilities in any plugin or theme you are using.
Did you know that if you search Google for ‘How to hack a WordPress site’ there are nearly 5million results? Did you also know that when WordPress releases a new version they list all the bugs and vulnerabilities they fixed?
Talk about making it easy!
If your site is not patched with the latest versions of WordPress, plugins, and theme then it is only a matter of time until your site is hacked.
Luckily it is easy to secure a WordPress site:
- Keep WordPress up to date
- Keep plugins up to date
- Keep your theme up to date
- Only use reputable plugins
- Only use reputable themes
- Delete unused plugins and themes
- Use a security plugin
- Backup your site regularly
Following rules 1 to 7 above will help keep your site safe by ensuring that any vulnerability will be patched. Following rule 4 and 5 will mean that the developers will be (or rather should be) actively fixing their product.
Following rule 8 will ensure that should the worst happen you can restore your site. Just make sure the backup is not stored on the same server.
Only half the story
Security of your WordPress site, however, is only half of the story. The other half is the security on the server hosting your site and the control panel you use to manage it.
Did you know that nearly half of all hacks are down to poor security on the server that is hosting your site and nothing to do with WordPress?
Detecting and fixing issues with the server hosting your site is not as easy as securing WordPress itself. There are plugins such as WP Info that will show you what version of operating system you are running on and what version of MySQL your site is using. What you can’t detect is whether or not the latest patches and fixes are installed neither can you tell how secure the server is.
What can you check?
You can see how security minded your current provider is by testing the following:
- Can you set a weak password to access your control panel
- Can you set a weak password on SFTP accounts, are you not forced to use SFTP (a secure version of FTP)
- Can you use the latest version of PHP (Version 7.2 when this was posted)
- Can you restrict external access to MySQL
- Can you implement SSL easily
- Is the control panel secured using SSL
If you can set weak passwords then I would consider moving host. If you can set weak passwords then chances are that there are accounts on the platform are very vulnerable to attack. Can you select PHP version 7?
It is not an exhaustive test, neither is it conclusive evidence of an issue. It just shows that whoever is configuring the services is not worrying about security PHP7 is installed as part of the update and patching processes.
Why does this matter?
Let’s say your site is on the same server as a site with a weak password set on an FTP account and it gets hacked. Some automated bot successfully accesses a site via FTP and uploads some malicious script to the site. This site now starts spewing out emails and becomes another site within a network of sites attacking other sites looking for vulnerabilities.
There are a few things that could start affecting you and your site too:
IP Black listing
Eventually the IP will be black listed and emails will start being blocked as spam – oh dear you use the same IP, it’s a shared mail platform and now your email has also been black listed.
The compromised site may well start to use more and more resources on the server you share with it. This means that there are less resources for your website, your site gets slower, visitor numbers and engagement will go down.
Your site gets hacked
The security on the server could be compromised, the hacker could (I am not saying they will) gain control of the server and infect every site hosted on the server including yours.
It could be even worse we have seen sites that get defaced and some have even been deleted completely.
So if you can set any password with a weak password then I would seriously look for an alternative host.
If your an agency or a designer imagine you have 10, 20, 30 or more client websites hosted on this platform. The consequences are not worth thinking about.
How we protect our servers and your site
We patch our servers every week with a scheduled reboot taking place early Sunday morning if required. Our servers are protected using the following methods:
- Enforce 2FA to SSH
- Enforce 2FA to access admin control panel
- No remote root user access
- Enforced strong passwords on everything
- No access via FTP only SFTP
- Fail2Ban implemented on server level
- Mod_sec implemented on server level
- Firewall implemented on server level and only the ports we need are opened
- We keep all WordPress sites up to date
- We back up every 24 hours, a full image backup
- We monitor resource usage 24/7
- We only allow local access to MySQL
- All our IP addresses are blacklist monitored
- We have DDoS protection on our network
- Weekly full scans across the entire server
- We use 3rd party email scanning for both inbound and outbound email.
- iThemes Security Pro installed and configured on every site
We are not saying that we are 100% secure – no one can. A 100% hack proof system does not exist if it is connected to the internet. We do all we can to lower the attack surface – the number of ways that the server or a site can be hacked – and implement as much security as we can, while not affecting access and performance. This is a tricky business and performance, access and security have to be carefully balanced.
Too much security can limit access and make the service unusable for developers and designers and affect accessibility. Too much security can also have an adverse affect on performance, every security process we implement needs some resources to run.
We use Plesk Onyx on our servers, installed, configured and secured using their best practice guidelines.
Moving hosts is painful!
This is true – but if it is carefully planned, carefully carried out and managed then it can be relatively painless. We have migrated hundreds of sites and have a proven process.
To ensure the security of your site chose a good host that has security built in. Remember passwords should be strong or very strong, there should be no option for weak passwords. If this is an option someone will set a weak password. FTP is inherently insecure and should not be an option, only SFTP should be permitted. Ensure you keep your WordPress core, plugins and themes up to date and only use reputable sources. Always keep a backup.
Use a VPS when commercially viable, they are more secure because they give you more control to implement the security you want to install.