Blog Post

18 May 2015

Is WordPress Safe?

If you have built or are thinking about building a WordPress website, in light of the recent increase in website hackings, you have to ask yourself this question: Is it safe to build my website using WordPress?

Yes … but.

So the answer is yes … but there are some new recommendations for owning a WordPress website.

Let’s review first

In the last six months or so, the following popular WordPress plugins have been hacked.

  • Slider Revolution
  • Gravity Forms
  • Mail Poet
  • WordPress SEO by Yoast

Slider Revolution is installed on millions of websites. The top-rated security company SUCURI estimated 100,000 websites were hacked, and 11,000 were blacklisted by Google because the hack was so severe.

GravityForms also is installed on hundreds of thousands of websites, and recently a vulnerability was found where one could upload a file to a website, essentially with no security checks. The hacker could then run malicious code from the compromised website.

Mail Poet plugin users experienced a particularly nasty hack, similar to GravityForms, allowing one to upload malicious code to the website and basically take over the site. Reportedly over ten thousand websites were compromised as a result of not updating this plugin.

Finally, WordPress SEO by Yoast is the #1 SEO plugin for WordPress, installed on millions of websites, was found to potentially allow one to change the website’s database.

So what can you do about it?

1. Update

So like I said, WordPress is secure, but you have to keep your WordPress website regularly updated.  If you let WordPress and your plugins get out of date, you risk being hacked.

The WordPress core files are updated periodically and plugin updates can sometimes happen on a daily basis, depending on which and how many plugins are installed on your site.

2. Backup

You should be actively backing up your website. I recommend backing up at least weekly for up to five weeks, and then also maintaining a monthly backup for up to a year.

So true story … We had a client call us that their website was “blank” (one of the indicators of a hacked site … kind of like the Windows “blue screen of death” except it is the “white page”). After checking out the site, we determined that it was indeed hacked, but it had been so for more than three months!

Many hosting companies or services may back up your site for a month, but I’ve not seen many that keep more than a month of backups.  In this case, this client could have benefited from having a backup of their site from more than three months ago.

My friends are telling me to not build my site using WordPress

The reasons for building a website using WordPress outweigh the reasons not to, in my opinion. WordPress is the #1 Content Management System in the world. I read an April 2015 statistic that more than 23% of all websites run WordPress. The reason WordPress has the market share of website “engines” is because it is actively developed and updated, it’s easy to use, and it’s easy to customize. What we find is that we can greatly reduce the number of hours to create a website for our clients, almost in half, by building the site in WordPress. That saves our clients a lot of money. So WordPress just makes sense.

So to the people who advise others not to build their site in WordPress, I ask: What operating system is on your laptop/PC? Windows? If so, are you updating your Windows operating system when updates are pushed out? Are you running an anti-virus and anti-spyware program? Your website needs updating just like your laptop or PC does also.

What happens to a hacked website?

I find these as the three most common motivations for hackers.

1. Redirect

Sometimes a hacker will insert code into the website causing traffic to be “redirected” to another site. Very recently we saw this happen. When you Googled this company’s website and clicked the link, instead of sending you to the website, it redirected everyone to a website selling Oakley sunglasses!

2. Deliver Mal-ware

One very common thing that hackers do to a website is insert code into the site that delivers “mal-ware” to the browser of the person viewing the website. Mal-ware is responsible for unwanted pop-ups, your browser running slow, and many other annoying problems.

3. Relay spam

This is the most heinous hacked website problem. Some website hacks allow the hacker to upload files to the website. These files are often used to relay spam. What that means is that the hacker can now send out millions and millions of spam emails AS YOU!

Summary

In my opinion, WordPress is still the best system for building a website. Because of the large market share of websites running WordPress, it has become attractive for hackers to target WordPress websites. However, if you update WordPress, update the plugins, and maintain weekly and monthly backups of your site, you can be fairly confident that your site will not be hacked. Like most things in life, a website needs to be maintained.

If you want to check if your WordPress website is safe, feel free to call us at 727.386.8611 to do a website evaluation. We can check the status of your updates and backups.