Long story short: The biggest pitfall with WordPress is failing to prepare your site for the onslaught of automated attacks it will be subject to. You can set yourself up for success by configuring a good security plugin, sticking to an update schedule, and maintaining automatic offsite backups.
WordPress is the world’s most popular Content Management System by far – It runs about a quarter of the internet’s top websites! It’s also very easy to get up and running. Some web hosts will even sell special hosting packages where WordPress is already installed and ready to go. This gets people straight to the fun part of WordPress – writing posts, setting up themes, etc.
Sadly, this streamlined setup and immense popularity has turned out to be a double edged sword. Just like the Windows operating system, the WordPress platform’s ubiquity online makes it a huge target for unsavory hackers. Make no mistake – running a WordPress website means you will constantly be enduring waves of low-effort automated hack attempts.
I believe this is mainly due to two factors:
First of all, there are many more wannabe hackers out there than there are actual hackers. Wannabe hackers are the people that download penetration testing tools like WPScan and gloat about their amazing skills when the software finds a way into a site for them. Actual hackers are the rare experts that know how to analyze a site’s structure and exploit vulnerabilities themselves. They aren’t spending their days trying to get random WordPress sites, because it’s not really worth it to them. They can get paid a lot of money to use their powers for good as a penetration tester or security consultant.
Secondly, there’s an unfortunately gigantic number of sites that are vulnerable to wannabe hackers’ software. As long as there are weakly protected WordPress sites, they may as well stick to the easy pickings. Especially since these sites are also much less likely to have backups or recovery systems in place!
The whole situation is sort of like if a lock on your house’s front door was something you needed to install yourself instead of coming standard… and a ton of people didn’t even realize that you needed a lock to begin with! Thanks to human nature, plenty of opportunists would be prowling around, checking front doors to see if they’re unlocked. If they found an unlocked door and opened it, they would declare themselves master thieves before grabbing what they could. On the other hand, having a locked door would be a sign that you’ve enacted defenses against this sort of thing, so trying to actually break in would be an assumed waste of time versus just using that time to check more doors.
In other words, if you make sure to lock your door, you don’t need to worry about would-be burglars that only check to see if your door is unlocked.
Getting back to the real world, there’s some good news about this sour situation – there are just 3 things to check off your list to avoid about 99% of the threats out there and be prepared for if the other 1% darkens your digital doorstep.
Step 1: Install & Configure a Good Security Plugin
A good, well-configured WordPress security plugin provides two main benefits – First and foremost, it will help you shore up your site’s defenses by doing things like temporarily banning people that try to login to the admin account 50 times a row. It will also give you an easy way to see just how much malicious traffic it’s blocking for you, which is generally an equal mix of fascinating and terrifying.
My go-to security plugin is iThemes Security Pro, formerly known as Better WP Security. As soon as you activate it, it gives you a prioritized to-do list of security options to review and activate, with a description of what each option does for you and your site. I found the configuration settings to be the most intuitive to use while still being one of the most powerful security plugins out there.
The free version of iThemes Security is sufficient to block the low-effort automated attacks, but I do think the pro version has some great extra features that could be worth the purchase for you, like the ability to allow or require two-factor authentication for admin accounts.
Step 2: Stick to an Update Maintenance Schedule
I understand that scheduling updates is a huge ugly thing for a lot of people due to how hard it is to predict how long updating will take. I also understand that an incredible amount of WordPress hacks are ultimately successful because the wannabe hacker’s software found a piece of vulnerable, out-of-date software on the site and exploited it. These sorts of exploits can be truly nasty, passing right by well-configured security plugins’ defenses due to some shoddy code that has long since been fixed.
To understand the importance of this step, you need to know a bit about how vulnerabilities are reported in open-source software. Essentially, some person will spot something in the underlying code and point out how it could be potentially dangerous in just the right situation to the software development team. Once it has been fixed with an update, the vulnerability will usually be publicly announced along with an explanation of how exactly it was vulnerable. They’ll end the announcement with something like “…so update right away!” and those that do will be protected against the vulnerability.
Everyone else will be involuntarily entered into a race against the exploit developers. Will the exploit devs use the description of the vulnerability and package it into some Exploit-o-Matic before you update? As soon as they do, the wannabe hacker horde will start downloading that tool and using it against anyone who still has yet to update.
So yes, despite how frustrating it can be to stay on top of updates, every time you press “update now” you’re likely saving yourself hours of post-hack frustration down the line without even realizing it. If that’s not enough incentive for you, there are always people that professionally take care of this sort of thing available if you’d rather skip the hassle!
Step 3: Have Automatic Offsite Backups
Automatic backups just happen as often as you’d like them to. They stay off of your routine to-do list – really, you just need to check up on them every now and then to make sure they’re still doing their thing correctly. If you’ve ever had to make regular, manual backups of something important before, this is probably music to your ears.
Offsite backups are utterly impervious to whatever nefarious forces your site may be subjected to, because they’re nowhere near them. They’re just hanging out in another time zone waiting for you to need them. When you do need them, they’ll be there in a blink of an eye – or however long the download takes – ready to restore things back to their former glory.
BackupBuddy is my go-to plugin for making sure this happens. There’s no free version available, but I think it’s worth every penny and then some. I should note here that I am not affiliated with iThemes at all, and that’s not even a referral link, they just make some of the best utility plugins for WordPress out there. This plugin alone takes care of automatic offsite backup scheduling, site migrations, live backups, and deploying changes between staging and production servers. In English, it gives you (or your developer) the tools to make sure your site’s data isn’t tied down to a single server. And it does it all with the most intuitive interface I’ve come across!
Setting up automatic offsite backups will give you a reliable safety net for all but the most disastrous scenarios. If you want to be absolutely prepared for anything and everything, here are some backup protips from a former sysadmin:
- Have multiple offsite backup locations, across physical locations and services. This is pretty easy to accomplish in BackupBuddy, just set up a few external backup locations instead of just one. Having just one offsite backup location is a Single Point of Failure for your backup strategy!
- Go entirely offsite with your backups – delete the local backups on your server. The local copies make instant restores quicker, but they can also be exploited to hack your site which is entirely counterproductive to their purpose.
With these three things in place, you will be protected against the constant waves of low-effort attacks that plague all publicly available WordPress websites. Even better, your solid backup strategy will make sure you can get back up and running no matter what the forces of chaos inflict upon your website!