Keeping a website safe from malicious acts is increasingly important, especially when using an open-source content management system such as WordPress. Here’s what you need to know about website security, and how you can minimize the chances your website will be compromised.
What is website security?
Small businesses – even those with e-commerce on their sites – don’t generally have to worry about the kind of website security breaches we hear about on the news, where large amounts of personal information such as credit card numbers have been stolen. When we’re talking about website security at this level, we’re usually more concerned with website vandals – in other words, hackers that make a website non-functional.
What happens when a website gets “hacked”?
There are a few different types of hacking situations, including:
People targeting a specific website. This type of attack is fairly unusual, and tends to be most common for websites that are in some way political – not small business sites. The vast majority of website hacks are not targeted at a specific website.
People using a program or bot to hack multiple sites. This is a more typical situation, in which the hacker’s goal is to affect as many sites as possible by exploiting a specific vulnerability in the content management system (CMS).
People targeting a server. Sometimes people hack a host server, that is, where your website (along with many others) resides on the web. There’s not much you can do at a site level to prevent this, except pick a reputable hosting company. In many cases, you get what you pay for when you choose a hosting company.
Why do hackers hack?
It depends on the hacker. Some of the most common motivations are:
For street cred. (“yOU hAvE b33n PWNd!”) This form of hacking is akin to the kind of vandalism perpetrated by a 14-year-old with a spray paint can, and is the least malicious – it’s more annoying than anything, and generally is the easiest type of hacking to undo.
To place spammy links to bad places on the web. The goal here is to drive traffic to a shady e-commerce site – those “buy your meds in Canada!” links, for example. This is more malicious, and takes a bit more time to clean up.
To hijack your site and turn it into a porn/gambling/spammy site. Any form of hacking is unpleasant, but this type of hacking is especially shocking. It can be sneaky, because the hacker could “cloak” your site — meaning, they could create a situation where your site appears normal to you, while everyone else sees the spammy site.
The most concerning reason hackers hack, though, is to steal personal/credit card information.
Most, but not all, small websites process credit cards through a third party, such as PayPal and Authorize.net, or even places like Shopify or Big Cartel that host the entire site – this makes things safer, and means that credit card information is much more secure. Here is more information on the security of e-commerce in small business websites:
Plugins can be insecure. In any content management system, a plugin is a bit of code that adds specific features or functionalities to your website. E-commerce plugins like Woo Commerce for WordPress are an okay solution for adding this functionality to a site, but you have to be vigilant about being up-to-date for both the CMS and the plugin, which is time-consuming. Even if you do, some e-commerce plugins still might be insecure. E-commerce through a plugin is not a good idea for businesses with large amounts of products and customers.
Other times, the customer has to leave the site to check out, which is safer. This is true with sites that use PayPal for payment, for example. That said, you still need to keep your merchant account (PayPal account) information safe.
It is ideal to use a dedicated e-commerce solution. Prime Design Solutions doesn’t use WordPress (or any other CMS solution) for e-commerce sites – instead, we use Big Cartel, 3dCart or Shopify. Companies like these are experts at e-commerce, and handle the code-end security for you. Other advantages include that there’s no need to worry about keeping your CMS up-to-date, as that happens automatically. These sites also feature better credit card processing integration in that customers don’t have to leave your site to check out, and better customer product management.
What makes WordPress particularly vulnerable
WordPress is very secure, but also very popular, which means hackers can affect more sites by focusing on it as opposed to other content management systems – in the same way that there are more PC viruses than Mac viruses, simply because there are more PCs than Macs. Here are some issues specific to WordPress:
All kinds of plugins can introduce vulnerabilities. WordPress is open-source, which means anyone can write a plugin! There are a lot of great plugins out there that add a wide variety of features to a site, but you don’t always know the developer or what they put in their code. The problem is that some plugins are not always kept up-to-date, and not always well-written. Hackers sometimes use poorly-written, insecure plugins as an avenue to hack WordPress sites.
Template sites are sometimes more vulnerable than custom sites. You don’t always know what you’re getting into with a purchased template, and templates can vary widely in quality. Further, templates often come with extra bells and whistles, which can be good, but most of the time these go unused — like plugins, they can be avenues for hackers to get into the site. By contrast, custom sites have exactly the features you need, without any extra stuff that could cause problems. (Much more about template vs. custom sites here.)
Good designers and developers will be in contact throughout the design and development process. Regardless of whether you use a template or custom design, good developers should be in touch throughout the design and development process, and will communicate on any issues related to security. (Read more about choosing a web designer.)
What you can do to protect yourself
Keep an eye on your site. Don’t be paranoid, but do be aware. It’s important to view it on devices other than your work computer, in case a hacker “cloaked” your site so that it appears normal at work.
Create secure passwords and manage them with a password manager. It’s a lot easier for a hacker to find the login page to your website than, say, break into your work computer. This is not the place to use an easy-to-guess password. Using Password Safe or a similar utility will allow you to choose and remember highly secure passwords. (For much more on this, see our article on the topic).
Assign users with only the privileges/user level they need to complete their tasks. If you have a site that has multiple authors, they should be designated “Authors” or “Editors” and not “Administrators.” This makes it much easier to remove someone’s access to the content management system in the event of a personnel change, for example.
Don’t go “plugin crazy.” Again, plugins can introduce vulnerabilities. If you’re working on your website, don’t download every plugin that sounds cool – this is especially true for WordPress, but also applies to other content management systems.
What your website developer can do to protect you
There are a number of steps your developer can take to reduce the chances your site will be compromised. They include:
Harden WordPress. This means to add an extra layer of security to the installation of WordPress.
Change default variables to something random. For example, the login username defaults to “admin” – it’s more secure to change this to something that’s not easily guessed, such as “admin_d294gid”.
Block access to sensitive files. This is something any competent designer will do to help ensure that important information about your site, such as which version of WordPress it uses, isn’t obvious.
Use only well-tested, safe plugins. Again, plugins can represent an avenue for a hacker to gain access to an otherwise secure site. Your developer should choose plugins wisely.
Keep WordPress up-to-date. WordPress is constantly evolving and updates a few times a year – often to improve security. Your developer should make sure your website is running the most recent version of the open-source code.
Schedule regular file AND database backups. This enables you to get back up and running quickly in the event that your site is hacked, despite all your precautions.
What to do if your website is compromised
Call your developer or hosting company immediately. Do not try to fix things on your own. Your developer or hosting company will probably:
Put a blank landing page up. This removes the hacked site so no one can see it, preserving your reputation while giving the developer time to assess the problem.
Change all site passwords. Developers will also remove any potentially suspect users.
Put additional passwords in place. For example, developers can password protect the WordPress admin area, so essentially two passwords are required to access the site.