We have been developing websites since before content management systems (CMS) existed, we had to develop our own.
Along came open source CMS with Joomla (then called Mambo), and WordPress being the two rose to prominence. Over time they got better, more extendable with a huge range of plugins, and eventually it was too flexible and just as easy for our clients to use that we gave in and recommended it as the first-choice CMS.
Not many softwares are immune from security issues. It is true that open source CMS are susceptible. So, if Joomla and Drupal are just as vulnerable (if not more so) than WordPress, why does WordPress get the bad wrap? It is a victim of its own popularity. Hacking activities are much easier to succeed in if their target is larger. WordPress is the most used CMS on the internet, and given that hacking often involves a scanning approach, it makes sense that it is easier to find a WordPress site to hack than one of the others.
So how do we protect the WordPress sites (particularly our more recent ones) we develop?
- No common admin URL. WordPress sites have a common URL for the CMS login, i.e., www.domainname.com.au/wp-admin and www.domainname.com.au/wp-login.php. We use a unique admin URL for each site, so no two are alike, we use a unique set of characters that are unique to the business, think of it as thumbprint security for a website. This means that hackers can’t access the login screen to even attempt to hack in the site with brute force attack.
- No common admin username – for a long time, the default username for WordPress sites was “admin”, so our recent sites each have a unique username and a strong password, so even if somehow our admin login page is found, good luck trying to guess the username and password.
- We disguise the common WordPress URL structure in the code. All WordPress sites have the same folder structure and folder names, thus the source code (which can be read by anyone and scanned by hacking softwares) has “common text” in the URLs which give it away as being WordPress and triggering it to hackers as a potential target. Similarly, WordPress sites use popular plugins which are also identifiable by folder name. Our recent sites do not have these “common text” or folder structure in the URLs in the code. We disguise them with unique replacements so a hacking software scanning the internet would pass our sites without recognising them as WordPress at all.
- More technical stuff – we prevent access to website files by preventing directory listing, this is rather technical to explain, but it prevents access to site code to anyone looking for a way in.
- Ongoing scanning. We install a scanning plugin that keeps a watch on the website files and lets us know if anything suspicious occurs, it also monitors login attempts and blocks any suspicious IP addresses.
- Plugin & Core WP updates – The main prevention means our site owners have at their disposal is to keep the core WordPress version and plugins up to date with the latest release. Like all software, the developers are adding new features and fixing security issues in ongoing releases. Being Open Source, WordPress has the benefit of these new releases being made available to update. We have over 200 WordPress websites and updates occur on a monthly basis, so it isn’t economically practical for us to keep all our sites up to date. We do have some clients though who see the benefit in having us do this for them, and if we do it regularly, an hour a month is all that is needed to make sure updates have no conflict and everything continues to work. Our sites are also likely to have customisation applied to the plugin code, this means they can’t be updated by the regularly easy process, we have to update them to ensure our customisations are copied over.
- Regular backups – there are automated backup process that we can set up in a site, but we find them a waste of time as it keeps the back up on the server in most cases, and a big hack will delete the entire site files, so you lose your backup as well. Clients on our security & maintenance support service have a multi-level backup done monthly. We back up the site and database to our internal server, which is also backed up to our secure cloud server. Our web server also keeps 2 weeks of daily backups, so if an issue is found, it is fair to say, we have your back(up).
- But we can do more – SSL. Digital certificates provide a level of encryption ensuring secure data transfer between user browsers and your server, making it difficult for hackers to breach the connection. We don’t often recommend this for non-ecommerce but that is changing for two reasons, one the price has gone down, there are even free open source SSL certificates, making them more accessible and affordable, and two, they have SEO benefits. This will be a recommendation we make for all our new site builds going forward.
There are others that may not be included in the above, and we are constantly looking out for how we can do more in the build phase so we don’t have to waste time and money fixing things later. To find out how secure your site is, or to have your site protected, please get in touch and we can have a look.