Updated Oct 5, 2015!!!
This article – which originally appeared in 2013 – has been updated for current insights on WordPress' safe!
Yes, WordPress is still safe, but:
The two best things you can always do to protect your site are:
- Be Proactive – Make sure EVERYTHING on your site is secure, backed up and UPDATED – continuously!!!
- Be Creative – Create super strong, crazy long login access: meaning your username and password!
If you were reading the news back in April 2015, you probably read there is an ongoing ‘orchestrated attack by ISIL‘ on WordPress sites.
Back in April and May of 2015, WordPress released 3 new releases (4.2, 4.2.1, and 4.2.2) of their software to defeat attacks by ISIL and other known vulnerabilities.
There was a cross-script vulnerability (meaning themes and plugins that were talking to WordPress were also left vulnerable and ALL needed to be updated!).
As of this update to this post, 10/5/15, WordPress is now up to version 4.3.1 (if you are not up to date, make sure you backup your site – including your theme – and update immediately). Don't just update WordPress, but also update all your themes and plugins and remove anything you aren't using.
At the time, I had received a lot of emails from clients asking about this issue, what it means and what they can do. I've posted on social media, and I've come back and updated this post, when possible.
Back in 2013, several people pointed me to this Forbes piece outlining “the most important things you can do to keep your WordPress website or blog safe”.
We will go over what you need to do (use strong login info and keep the site up to date), but first:
You are probably thinking this means WordPress is insecure, right?
Well, actually, NO!
This is the biggest misconception. The CURRENT WordPress software seems to be stable – meaning there are No Known Vulnerabilities causing a security risk to the current version of WordPress (if you aren't on a current version, then you could be vulnerable and at risk – so should upgrade now – after you have done a fresh backup!).
If there were a known issue, WordPress would work to fix it and get a new security release out as soon as possible (like they always have).
Since there were issues earlier this year, if you are on an older version, or using older plugins or themes (or just have them installed but inactive) you are still making your site vulnerable!!!
So update immediately, but also consider having your site professionally scanned, because sometimes sites are hacked and the site owner does NOT even know it! Angela Bowman of AskWPGirl offers a site security scan review you can request on her site: http://askwpgirl.com/wordpress-online-consulting/ or you can use a service like Sucuri – who specializes in Website Security.
Sucuri.net has a monitoring system to also keep your site secure. And, if you do get malware, they can remove it for you – it costs $299.99 a year (think of it like an insurance policy). https://uniquethink.com/go/security
And I have some suggestions below of Hosting Options that not only monitor your site, but also clean it, if it gets hacked (see below under Get Better WordPress Hosting).
What EASY things can you do to stay secure?
1. Change your UserName and your Password – make them super secure! Angela Bowman of AskWPGirl has written out instructions on how to change your username.
2. Scan your site, to make sure it is clean and free of known malware
I tend to use this free tool: https://sitecheck.sucuri.net/ – but we did notice it wasn't picking up every hack out there, back in April & May of 2015. Of course, it was hard to keep up with everything at that time.
3. Set up a Backup and Upgrade process
There are several ways to backup – I recommend both of these:
VaultPress is a great solution by the for-profit end of WordPress. There are different pricing options: https://vaultpress.com/
BackupBuddy: A premium plugin that allows you to backup your full site, not just your database. You can also use this tool to MIGRATE your site to another server https://uniquethink.com/movewp
4. Get Rid of Plugins and Themes you aren't using – they could have a vulnerability you aren't aware of – so if you aren't using it, remove it!
5. If you don't have some reputable security plugins installed already, there are a few plugins I rely on:
UniqueThink recommends Simple Firewall by iControlWP – we used to use others, including WordFence. Right now, this one plugin is doing the job of many.
ANOTHER GREAT OPTION:
Get better WordPress hosting:
In reports and studies we have read, hosting can also make a big difference. Some hosts aren't keeping up with WordPress' recommendations for security. If your host isn't using the most current recommendations, your site is more vulnerable.
There are also newer breeds of WordPress-ccentric Hosting Solutions. I used to recommend regular hosting companies, but the WP-ccentric hosting providers have won me over! They only allow WordPress sites on their servers, they keep on top of what is happening in the WordPress world, they take quick action to resolve issues, they offer more frequent backups, and they also clean your site, if it does get hacked!
I talk about them more on my Tools and Resources page, but here are my current recommendations as of 10/5/15: https://uniquethink.com/bethanys-recommended-toolsservices/
Current #1 Suggestion is GetFlyWheel: http://share.getf.ly/e26w3g
- Free 30 days to set up your site!
- Managed speed and caching – it helps to have a fast site – which helps you get found better on Google and helps the person visiting the site
- Automatic backups and simple restores – makes sure your important content is backed up and easy to restore
- WordPress core updates – updating of WordPress is critical (but don’t forget you still need to update themes/plugins)
- Malware scanning and cleanup – they monitor the site and if something goes wrong, and your site gets hacked, they clean it for you
- More…
#2 is WPEngine: https://uniquethink.com/wpengine
WPEngine has a similar offering to GetFlyWheel. But since GetFlywheel has a Tiny plan that is for smaller sites, I mention it as my #1 option. Both are reputable, good options, but according to this study which checks stats each month, GetFlyWheel also has faster servers (which means people see your sites quicker).
The following info (updated from the original post from 2013) talks about Usernames & Password Security:
To address concerns about security, Matt Mullenweg – the founder of WordPress – put out a release in 2013 noticing the issues back then were related to people using bad usernames and passwords.
“Right now there’s a botnet going around all of the WordPresses it can find trying to login with the “admin” username and a bunch of common passwords…” Mullenweg wrote on his own WordPress blog.
WordPress has done many things over the years, to make your site more secure. This includes allowing you to choose your own username, instead of using the default of ADMIN (which the hackers are hoping you are using). So make sure you make good choices with your login credentials.
You are as secure (from this type of hack) as your user name and password.
Then, why this ‘orchestrated attack' specifically on WordPress?
This is still being investigated (but there is a larger scale threat to the Internet itself).
The hackers' end goal, once they get enough hacked sites, is to take down the whole Internet.
No really, the hackers are trying to take down the web. We just hope they don't get that far.
And since WordPress runs more than a Quarter of the Internet, yes, they are a big target.
WordPress is used by 58.6% of all the websites whose content management system we know. This is 24.6% of all websites.
– stats provided by http://w3techs.com/technologies/details/cm-wordpress/all/all
For now, let's talk about your site.
So many times I hear people say, why do the hackers care about me?
The answer: They don't.
They just are using the most vulnerable, the low hanging fruit, as a way to get to their bigger goal.
You might ask: Is my password really that bad?
Let me ask you this, is it the same one you use everywhere? If so, it is bad.
- Is it the name of your favorite pet, your child or your significant other? If so, it is bad.
- Is it a word in the dictionary with 123 after it? If so, it is bad.
Huffington post talked about the worst passwords to use – in an article from 10/25/12:
The top three passwords of 2012 — “password,” “123456,” and “12345678”
New entries to 2013's top 25 include “jesus,” “ninja” and the highly imaginative “password1.”
Anyone who knows me, knows I have been trying to get you to use strong ‘crazy' passwords for years – and have not used the username of Admin since 2008.
Anyone who has worked with me in the more recent past, knows I am also creating super ‘annoying' but also very strong Usernames, as well as passwords.
I also strongly encourage (not request) you to create a different unique and crazy password for everything: your email address, your hosting company, your FTP site…(and especially your bank account and anywhere else where money is involved – like Amazon, or wherever you've stored credit card info online).
To understand more and to learn how to create a crazy strong password, you can read my blog post entitled: Cyber Pickpockets Want Your Passwords– or revisit UniqueThink's terms agreement (which also discusses password and security issues).
I know, now you are saying: BUT, I can't remember all those long passwords!
And, I am hear to say, you don't have to remember them all. There is software to do that for you!. To help you retain all those crazy upper case, lower case, symbols and numbers in your usernames and password, I recommend a password management tool. My favorite tool for remembering my passwords is 1Password.
So will a new password really keep your site safe?
Please keep in mind: Usernames and Passwords aren't the only way hackers enter your site. However, this bot hack appears to be about trying to get in by trying ‘every key on the ring.‘
These guys use robot scripts to go thru the most common words, hoping you used one for your username and password – this is what they call brute force.
Let's break it down.
Keep your software up to date and your login unique and strong.
Matt Mullenweg says “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.”
So, what did we discover?
- WordPress (the most current version of the software) is currently secure (best option is to update it when a new version is released) – BUT remember some themes and plugins may not be. – so always update everything to the current version (and always have a backup, before you update!)
- The UserName Admin is NOT secure!
- A weak password makes you vulnerable
Yes, WordPress sites, just like any other kind of site, always has risks of getting hacked – Just like your office, home, car, even gym locker, is at risk of getting broken into. But as we discussed above, there are some simple steps that make you that much more secure. Take action on them now!
If you use a plugin called the Social Media Widget Plugin or have a theme with TimThumb, please also read this post called: WordPress ‘Addons’ With Known Problems
If you have additional questions, get in touch and we'll figure out the best solution for your unique situation.
thanks so much. this is very helpful. good public service.
Ha, thanks Dana. I’ve always wanted to service the public well! I should have done one of those mock NBC The More You Know segments. But really, glad the info was helpful! Appreciate hearing from you, as always!
A password manager can help you create strong passwords and keep them stored for quick access. I like 1Password as it allows syncing with dropbox. Also be sure to keep your computer updated regularly. Check out the browse happy project from WordPress to find out the latest versions of popular web browsers.
Thanks Lorenzo. Glad you like 1Password, as well. And I agree, definitely upgrade everything, when necessary!
More great info, thanks!