From time to time we like to share good articles that we find and think might be relevant to our clients. Kaustav Acharya, one of our website developers at Taylor Digital has a new favorite read he’s been circulating to the staff, courtesy of iThemes. It’s a kind of cautionary tale about WordPress and website security issues. We thought we’d share it because it hits on points about cybersecurity we talk about with clients and best practices we use regularly.
Did you know that 25% of all websites are powered by WordPress? With such a high market share, any security breaches are likely to affect a lot of people. But most website security issues are preventable when best practices are followed. Here’s a breakdown of factors that can make your site vulnerable:
- Weak Passwords. Some of you will have heard this refrain before. But as a web development company, we have to warn you that if you’re using the same password in multiple places, you’re vulnerable to hackers. If you don’t have a mix of characters, numbers and symbols, your site could be at risk.
- Not Updating WordPress, Plugins and Themes. WordPress has a team of 25 people working on website security patches squashing vulnerabilities as soon as they come to light. They routinely issue updates, some big, and some small, but always do a great job in getting the information out there. Staying on top of these updates is part of best practices, and should be considered routine. Running outdated versions of WordPress and other plugins leaves your site open to potential backdoors and potential SQL injection.
It gets tricky though. While it’s great practice to actually go and keep the sites updated both for WP Core and all the plugins, the way the website is put together and the plugins are utilized, there may be times when a plugin update should wait until a fully supported version comes out. We’ve seen this across a few web sites we’ve worked on. All plugins updates come with addressed issues in their release notes, which can be viewed by visiting the plugin author website or directly on WordPress.com’s Plugin Page. Updating the wrong combination of plugins and core could potentially result in custom websites suddenly not displaying content. While this can cause an immediate panic attack, it can be avoided with proper care and a thorough understanding of how the website is built. We highly recommend testing all plugin updates on a staging environment.
- Not Using Trustworthy Plugins and Themes. We work with our clients to make sure they aren’t loading unnecessary plugins on their site. With the way WordPress is built, it loads all references to plugins into the header. There are ways to speed this up, but it’s best practice to actually load the least amount of plugins to do what you need to do. Too often companies rely on third party plugins to do very generic things. Minimizing the dependency on third party plugins allows the site to load faster, be more secure and have fewer issues around updates.
- Be Alert for Shared or Poor Quality Hosting. What does this mean? It’s possible that a lesser quality host isn’t vigilant enough with security measures, leaving your site vulnerable. We make sure this isn’t the case for our clients by partnering with known secure web hosts with daily backup and restore points.
If you have any questions about WordPress, plugins and updates, feel free to contact us. We have different maintenance plans available to help keep your site running smoothly. We also offer a free assessment so you have a clear idea about how efficiently and safely your site is operating.