Security For WordPress

WordPress Website – Can You Tell If It Is Secure?

As I do research for my web design business, I do find a fair number of local businesses developing their own CMS websites, all of them being made with the WordPress framework. This is fine, because WordPress is the easiest to use and learn for most people, but this poses a serious concern, at least local business owners should be concerned.

Most people do not follow web design and security information pool like I do. The majority of people have at best, a basic rudimentary understanding of web design, security for websites and content management systems (CMS) as WordPress. This does not speak ill of local business owners, this only explains that they have other priorities for their business than have to focus on embarking on the long learning curve for web design and web design security.

Rightly so, but many local business owners do need to have an awareness that web site security is not optional, its required if you want to maintain and secure your investment called a website.

This is where a web designer comes in.

WordPress Highest Targeted CMS On The Internet

WordPress is among the highest attacked CMS on the Internet. It does not matter how unimportant or small your site is. It does not matter that your site offers zero reason for being hacked, your WordPress site will get attacked.

If you want to get an idea of how frequent these attacks are, especially the number per day, let alone per hour, see this web page – WordPress Brute Force Attacks.

These statistics are disturbing.

With the WordPress work I do for clients, I found that all of their WordPress sites are targeted with brute force attacks and the IP addresses that get blocked are quite a few.

CMS Sites Need Security – A Fundamental Requirement

This says that any WordPress site requires proper security and if it does not have that security, it will eventually get hacked. So what happens when a WordPress site gets hacked and what do the hackers do with it?

Hackers will generally:

  • Deface the website / Force it Offline.
  • Send Spam through the website.
  • Kill SEO for your site.
  • Redirect visitors to their Phishing sites.
  • Host Malicious Content (Insert large number of malicious web pages – sometimes numbered in the hundreds).
  • Cause malicious 404 redirects.
  • Cause your site to become a Phishing site.
  • Distribute Mal-ware.
  • Ransom the website (using Bitcoin as payment).
  • and more.

(Reference: “What Hackers Do With Compromised WordPress Sites“).

The trouble and loss of business that can occur is tremendous, especially to any SEO work done for your website.

Loss of SEO

Any hacked website will loose its SEO standing in Google or any search engine, that is a guarantee. Google is the leader in Internet Search Engines. Other search engines as Bing and Yahoo have their own systems, but they use Google as a template. Google is the front runner, so when your SEO listing in Google search results is lost, be assured it is lost or will soon be lost in other search engines as Bing, Yahoo, etc.

This loss can be expensive to local businesses. What you paid for SEO work is lost. In turn, the work needed to regain this search rank listing will cost (sometimes very expensive depending on who you hire) and the loss of clientele to your business is also lost. With statistics that 86% of British Columbian’s browse the Internet, imagine the loss of potential business because of a hacker.

Is this search engine listing a permanent loss? – No and its recoverable, but it takes time and manual labour to do so. It cannot be automated.

What’s more is that if your WordPress site gets hacked and compromised with malicious code, Google can blacklist your site and that is not simple to recover. Its a manual recovery through Google. If you have a “Do It Yourself (DIY)” website, is that DIY service going to help you overcome a Google blacklisting? – Don’t know, you’d better ask them.

Recovery requires the identification then eliminate of the causes first. Then the website’s SEO has to be rebuilt and this can range from change of content or adding content, addressing site speed with Google and much more. These things are not automated. Have you inquired about the cost of hiring someone recommended by DIY services (Amazon, Wix, etc)? Remember that you will be paying in USD, not CDN.

What is best is to contact a local web design service in your area. Get this local company to restore your SEO listing with Google. This way you can have personal service. Payment then is in Canadian currency, instead of another currency where you pay the exchange rate (which in some cases can almost double your cost).

Why choose a local service instead of getting one from the Internet in some other province, state of country? Reason – to avoid the pitfalls of being just another numbered client.

SEO web services that are Internet based and do not operate as a local business, are primarily focused on getting business via the Internet. To them, they are dealing a numbers game. They want to get a lot of clients and that means large numbers. I get SPAM in my business email every day from Internet based SEO businesses that span the globe.

Any Internet based company to do SEO work means much of their services uses automation, not personal service. They will use software and Internet based tools to do any (if any) SEO work on your site and when they are dealing with large number of people, they won’t spend a lot of time on any one site. If you expect more, that will cost you much more for them to do more.

What is recommended? – Contact a local web design company (link to fwd here) for personal service to recover your SEO listings and don’t become a number.

Do it Yourself Websites & Security

Does the “Do it yourself (DIY)” service offer website security and at what cost?

There are many DIY services in the Internet and many Website Hosting services offer DIY services combined with hosting. Many website hosts use “Sitelock” as their security service for WordPress sites. Unfortunately I found that Sitelock does not have the needed reputation for my satisfaction. I found too many complaints that they keep plugging for you to pay more for their services or claim your site needs cleaned, for a fee, when it does not need it. A lot of people cannot afford their most expensive package and most use their basic or one up from basic security. Once a site gets hacked, you’ll find the basic was not as good as initially thought (as they claimed) and Sitelock will be asking for more money to recover the site (not good).

Take a read of this article on DIY services from an experienced website marketing business.

A person does need to understand the makeup of WordPress and know how to detect problems in order to scrutinize services like Sitelock. They are a web based service and again play the numbers game, but be careful, I came across local webdesign companies that claim to provide professional work, but when I inspect their services and work, it is far from professional. One reason is the serious lack of credentials, they don’t have the training.

What Do Website Hosts Provide As Far As Website Security?

Majority of DIY and web host services provide only basic security to the website, if they do at all. This does not properly secure your WordPress site and does not always provide a means to recover it. They are going to provide top notch security services for bottom end prices. If you purchase their bottom end services, they depend on you calling them to recover your site and then comes their call to open your pocketbook to give more. That was one of the major complaints with Sitelock.

A website host has their own security for their physical servers, they have security for the framework of their server file & folder structure that provides you the support to use various website applications as PHP, but despite their own security, a website can still be hacked because their security does not protect your site, it only protects their servers, even though your site is on their servers.

Sound contradictory?

To protect their servers means they isolate your site out. This ensures that if your site is hacked, the hacker does not gain access to their framework. Their own protection prevents a hacker from using your site to gain access to the rest of their file and folder structure that runs the servers. I know this because I had a client come to me telling me their site was hacked despite their web host security. In short, any website intrusion is isolated to a small part of the server that can be deleted if needed and saves the rest of the customer base that uses the same server.

Yet, website hosts do offer security services, a lot use Sitelock and others, as Amazon, have their own security systems, but despite all of that, sites still get hacked, even at Amazon (read: My AWS account got hacked … $50,000 bill ).

In that linked example, the Amazon client was lucky he did not have to pay the huge bill, but will that be the same luck for you if your Amazon site gets hacked?

Majority of people who choose a DIY method do not understand or know what is required to secure a website based on a WordPress framework. In fact they don’t normally think about it until after they loose their site to hackers.

Website security is paramount and as we see, that even with DIY services, you cannot just ignore this important aspect of website maintenance. It’s ultimately your responsibility to ensure your site is secure, not theirs. Site security cannot be overstated or ignored. It does not matter how big a DIY service is, they are prone to breaches, in fact much more because of one unfailing characteristic – Human error and the fact that entities like Amazon are a huge target for hackers. Its a prestige thing for hackers.

Do you actually research these DIY services?

Please take a look at this recent article about Amazon – “Your Amazon Account Isn’t as Secure as You Think It Is” .

Security breaches can happen, but the best security measure is for you to ensure its done. Most of all realize that this is not a one time effort, it is a continual effort of monitoring and adjustments. This is because technology changes rapidly and so do methods of hacking websites. To ensure your protected against this constant threat, persistent diligence for your security must be maintained and exercised.

This is where “personal service” has always been the best for this and Internet based services as Amazon, cannot match the personal service of a local web design service . Amazon and the like deal with huge number of clients, there is no such thing as a personal service. A local web design security service is not dealing with a huge number of clients at once and in a much better position to provide a personalized service. You can check with other local web design companies about their website security services. Form Web Design has such a personalized service.

Get Your Site Secure

If you have not considered it or only treated it lightly, its time to get serious about website security. Whether or not you contact Form Web Design, your site security should be paramount, especially if you use a CMS website as WordPress. If you care about loss of business through the website, you need to care about security for your website. If you care about your Google search engine listings, you need to care about security. If you care about not completely losing the website to hackers, you need to care about security.

It maybe too late to recover a website completely lost to hackers after the fact, which in a case of a complete breach, the website owner can loose his/her domain name also.

Here is an example of a domain name theft (Note: Chris Coyier is one of the well known HTML5, CSS and Script gurus on the Internet)

If you still prefer to do the work yourself, I do offer a Website Security Inspection which will get you the information you need to do the work yourself. Contact Form Web Design for more details.