Security

Salty Key specializes in building custom WordPress websites for its clients. WordPress is a powerful web content management system (CMS) that is used by over 25% of all existing websites. What started out as blogging software now powers some of the largest companies online, like Sony Music, Walt Disney Corp., The New Yorker, and countless […]

Unfortunately, there’s a false narrative that WordPress sites are more at-risk than other platforms. First, let’s address some of the most common security concerns people have with WordPress websites.

As an open source web software, WordPress sites are more vulnerable to exploits than proprietary systems since hackers can see the core files. This is especially true for outdated versions of WordPress, where hackers can also see what security changes were made in the latest version. The same holds true for any outdated plugin or theme. According to WPScan, there are 4,233 known WordPress vulnerabilities — and over half of these (52%) come from plugins. Even the FBI has warned webmasters about potential attacks resulting from outdated plugins.Every site developed by Salty Key is built to the latest version of WordPress and all plugins used on the site, and every site we develop is maintained for the following three months. Keeping WordPress files updated is your best defense against attacks, yet over 60% of all current WordPress installations are running outdated versions of WordPress as of February 2016.
Another concern people have is the idea that WordPress sites are targeted by hackers more often than other sites. WordPress powers 39% of all existing websites that use a CMS; the next-highest is Drupal at just 9%. Hackers target WordPress because of its popularity, not because it’s more vulnerable to attack by design.

How else does Salty Key protect my website?

Salty Key protects its websites with WordPress security software that defends against a variety of attacks, including brute force attempts, cross-site scripting (XSS), and SQL injections. We’ll also receive advance warning of any possible server exploits (the majority of attacks on the web are via server vulnerabilities) and spam traffic visiting the site. We maintain an active blacklist of known spammer IPs and are quick to block any traffic that looks suspicious. (When bots are searching your site for vulnerabilities, they’ll repeatedly generate 404 errors and consume a ton of bandwidth — two telltale signs of malicious activity.)

Many issues that plague WordPress sites today are easily avoidable, but website owners sometimes underestimate how susceptible they are to attack. Some of the biggest misconceptions regarding web security:

I use strong passwords so I should be safe.

WordPress, by default, does not limit failed login attempts. A user (or bot) can get an infinite number of guesses at your user/password to brute force your site unless you’re actively limiting login attempts and banning IPs. Strong passwords are a good start, especially since so many users still insist on using weak passwords, but spammers will eventually crack your password if given enough chances. All Salty Key sites have brute force protection that locks out users with too many failed logins. We even take brute force security one step further by hiding the login screen at a secret location (all WordPress sites have the same login URL by default) and blacklisting any known spammer IPs from accessing your site.

Your site’s web host can be the best (or worst) part of your website security. As stated, the biggest vulnerability webmasters face is vulnerable servers. When a hacker compromises a website, he/she gets control of that one site (or a network of sites if it’s a multisite). When a hacker compromises a server, they control every site on that server — sometimes hundreds or even thousands of sites. For this reason, hackers target servers as much (or more) as they do individual websites.

So what should you look for? A good web host runs a server-level firewall to filter and block malicious traffic before WordPress even loads. A good host also offers malware scans/removal and securely stored backups (database and website files). Beyond that, some hosts will provide preventative measures when WordPress is installed, such as changing the database table prefix (i.e. NOT the default “wp_”).

What’s the sign of a bad host? You don’t want a host that runs an outdated version of PHP or MySQL. You don’t want a host that jams as many sites as it can on a single server (for both security and speed reasons). You don’t want a host that can’t patch its servers quickly in the event of an attack. You don’t want a host that won’t help you restore a backup or whitelist your IP (if it gets blacklisted), or doesn’t have failover hosting in the event of a server outage or attack.

Most attacks are automated; hackers are more interested in sites that are easy to exploit (ex: running outdated software) than the site’s popularity. When hackers target a site, they usually want three things: to use a clean IP (i.e. one that’s not blacklisted) to propagate spam links and email, to execute outbound attacks against other servers, and to gain user information (e.g. stored passwords, customer data). If you’re someone who uses the same password for your website and something more critical, like your online banking account, then losing your password can be devastating.

Automated attacks allow spammers to target thousands of sites simultaneously. If customers can find your site, so can hackers.

The nature of malware is that it’s hard to detect. When most people think malware and viruses, they think of seeing pages with the nuclear warning symbol and loads of malicious code sitting in plain view. They may not consider discrete file changes that give spammers database access, or a rogue plugin that’s using base64 encoding to execute scripts on your site. Salty Key runs routine scans for malware and can detect any changes made to the site, like added or removed code. We prepare for all possible scenarios and crises, and take every precaution to avoid disasters in the first place.

While having backups is an imperative for any site owner, sometimes problems linger even after you’ve cleaned your site of malware (or simply pulled a backup). Major search engines like Google regularly scan sites for malware and will de-index your domain from its results if malware is detected. Getting your site whitelisted by Google is an arduous — and costly — process. Fortunately Google will send emails and notifications regarding any suspicious activity, but you need a company that’ll address these concerns before they result in penalties.

We’d also like to mention that Salty Key provides a complete backup solution (including database and disk files) for all sites, in addition to any host-generated backups.

Should I worry about using WordPress for my website?

Absolutely not. With proper security measures, WordPress is as secure as anything on the web. Any site, no matter what CMS you use, is subject to security concerns. Drupal experienced a zero-day exploit in 2014 (dubbed “Drupalgeddon”) that affected all versions of Drupal 7. Joomla! also experienced a zero-day exploit just a few months ago, and discovered another vulnerability that affected all versions of Joomla! released over the last eight years.

This page isn’t meant to scare you, but it is meant to highlight the importance of web security. WordPress is the perfect solution for business websites because of its ease of use, deep library of plugins and extensions, and ability to be updated without the need for HTML-editing software. WordPress issues frequent updates to the core software, ensuring maximum compatibility with all major browsers and quickly addressing any security exploits.

And, yes, there are sometimes security concerns. Our job is to make sure you don’t have to worry about them.