This guest post is by Anders Vinther of The WordPress Security Checklist.
WordPress Security is about as sexy as cleaning your house. And as a serious blogger, you already know that securing your site properly is not a trivial task.
That makes it a fantastic topic for myth fabrication.
In this post, I’ve compiled the top ten WordPress security myths for your easy consumption, followed by a light sprinkle of facts to debunk the myths.
Here are the myths:
- WordPress is not secure.
- Nobody wants to hack my blog.
- My WordPress site is 100% secure.
- I only use themes and plugins from wordpress.org so they are secure.
- Updating WordPress whenever I log in is cool.
- Once my WordPress site is setup my job is finished.
- I’ll just install xyz plugin and that’ll take care of security for me.
- If I disable a plugin or theme, there is no risk.
- If my site is compromised I will quickly find out.
- My password is good enough.
Myth 1. WordPress is not secure
When people experience security problems with their WordPress sites, they tend to blame WordPress. However, the WordPress core is very secure. And when a security hole is found, the development team is very quick to respond.
The most frequent causes for compromised WordPress sites are in fact:
- outdated software
- insecure themes and plugins
- bad passwords
- stolen FTP credentials
- hosting problems.
For more on this topic, see WordPress Security Vulnerabilities.
Myth 2. Nobody wants to hack my blog
Most hacking attempts are automated. There are rarely personal or political motives behind WordPress hacking—more often the motives involve financial gain.
Maybe you’re thinking, “But I don’t have anything for sale on my site. I don’t have credit card information or any other sensitive information. What could they possibly steal from my site?”
What you do have is resources.
Possible ways to exploit your site are:
- the insertion of spam links in your content to boost SEO for other sites
- through malware infections of your visitors computers, e.g. to steal their financial information
- redirecting your traffic to other sites.
For more details, see Are Small Sites Targeted For Hacking?
Myth 3. My WordPress site is 100% secure
No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist.
That is why you need a backup and recovery plan. If disaster strikes, you need to have a good backup available, and a plan for how to restore your site.
For more, see:
- WordPress Backup – The Plugin and The Plan
- How To Restore A WordPress Site
- The WordPress Rescue Plan
Myth 4. I only use themes and plugins from wordpress.org so they are secure
The WordPress Team reviews themes and plugins before they are included in the wordpress.org repository. However they do not have the resources to review updates.
Themes and plugins are developed by programmers from all over the world. Their experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs. Just pick a random plugin, look at the change log and you will see that bugs are routinely discovered and fixed. Even the best plugins developed by the most renowned people could contain undiscovered security risks.
Is it safer to get your themes and plugins from wordpress.org? Absolutely.
Is it guaranteed that there are no security problems with themes and plugins from wordpress.org? Absolutely not.
For more information, see:
- WordPress Plugin Management
- WordPress Theme Reviews
- Why You Should Never Search For Free WordPress Themes
Myth 5. Updating WordPress whenever I log in is cool
You need to keep WordPress core, plugins, and themes updated at all times. Whenever a security update is released the whole world can see what the problem was. This obviously exposes any site that has not been updated. Unless you log in to your WordPress admin dashboard every day, you’ll need a plugin that will notify you when updates are available.
More information can be found in the article, Update Notifications.
Myth 6. Once my WordPress site is set up, my job is finished
Having a WordPress site is an ongoing commitment—it’s like having a dog. As a bare minimum your WordPress blog needs to be maintained when new updates come out. This is crucial even if you do not write new posts or otherwise update the content.
If you simply leave your WordPress site behind like an abandoned holiday pet, chances are that you will be helping the bad guys carry out their malicious schemes to control the world. So if you will not or cannot keep your WordPress site updated, it’s better if you take it down!
Myth 7. I’ll just install xyz plugin and that’ll take care of security for me
You do need security plugins. And you need the right mix of security plugins. However, keeping your WordPress site secure goes well beyond what you install on your site.
Other factors you need to consider include:
- securing the computer you use to connect to your hosting account (anti-virus, malware and firewalls)
- creating and managing strong passwords
- using Secure FTP to access your hosting account
- protecting sensitive WordPress files from access from the internet
- off-site WordPress monitoring.
Myth 8. If I disable a plugin or theme, there is no risk
All files that exist in your WordPress folder are accessible from the internet unless you specifically protect them. This means even disabled themes and plugins can be exploited if they are vulnerable.
The best practice is to remove anything you do not use. Or, at a minimum, make sure you keep de-activated themes and plugins updated.
Myth 9. If my site is compromised I will quickly find out
Professional hackers are not interested in you finding out that your site has been compromised. Therefore you might not find out what has happened until quite some time after a hack has occurred—if you find out at all.
Some types of hacks that are difficult to spot include:
- redirection of all traffic coming from a search engine (so if you enter the URL in your browser or use a bookmark, everything will look normal)
- the inclusion of hidden text in your posts and pages.
You need some kind of off-site monitoring of your WordPress site. For more details, see:
Myth 10. My password is good enough
Unless your WordPress admin password looks something like LR!!g&6uTFL%MD8cyo, you need to change your password management strategy. And make sure you do not reuse passwords on multiple websites.
Amazingly password and 123456 are still the two most used passwords! To find out more about this issue—and how to solve it—see:
Don’t get caught out!
Getting WordPress security right is not trivial. That’s probably the reason why too many bloggers stick their heads in the sand when it comes to protecting their valuable assets.
While you do need to be pro-active and take action WordPress Security is by no means an impossible task. The same way you would add an alarm to your car and get a guard dog for your house you need to secure your website. Don’t get caught with sand in your ears, nose, and mouth when the hackers come knocking on your door. Act now!