I love WordPress! It's a fantastic way to build a website without knowing how to write code. It truly makes web development easier.
But, what a lot of WordPress website owners don't realize is how easy it is for someone to break into their website.
WordPress is Open Source software, which is a great thing. This means that it's free to use by anyone. You don't have to pay to use it. And if you want to change the code, you can, without any legal ramifications. You can do ANYTHING you want to do with WordPress. This makes it a GREAT way to build a website.
It also makes it a security nightmare.
WordPress is very extensible! Anyone with coding knowledge can make a plugin or theme which will give your website new functionality and style. You can find thousands of plugins and themes available, many for free, on the web.
This creates even more potential security holes in your website.
Since the code to WordPress and these free themes and plugins are available to the world, then anyone in the world can look at the code, and if they know what they are doing, they can find poorly written code, security holes, or ways to break into your site.
The more themes and plugins you have on your site, the more potential security risks are available to hackers.
To make matters worse, as soon as someone finds a security hole and fixes it, they post those changes for the world to see. If you aren't immediately updating your WordPress site with the code to fix this security hole, then not only do you have a hole that someone can break into, but the security hole has been announced to the World.
All a hacker has to do is wait for a security hole to be announced (not a long wait at all) and then go find a WordPress install that hasn't updated their site with the new fix. This is why it's CRUCIAL to keep your WordPress site updated regularly.
What will they do once they get in? I've seen them do everything from erase everything on the site, to steal data, to hijack the site and redirect the visitors to another site entirely. I've seen them display their own ads on unsuspecting sites (usually not ads for things you'd like to endorse), send email from the site's email account, or cripple the site entirely.
When this happens, it's hard to install another recent backup because you aren't quite sure when the break-in occurred or how they got in. So, sometimes you have to either rebuild the site or install a fairly old backup that you KNOW was clean which could mean you lose quite a bit of your recent data.
Depending on what has to be done to get your site back up and running, this can be an expensive problem. If your site is your business, this downtime could lose you money as well.
You can't make a website hacker-proof entirely, but you can manage the risk. There are lots of things you can do to reduce the risk of an attack. WordPress.org has an excellent article about what you should do to keep your site safe here.
They mention a lot of things in that article, but the two most important are:
- Good Hosting with daily backups - In my experience, you can have any two of these three with hosting, but not all three: 1) Quality 2) Cheap and 3) Support
- Keep your site updated daily - This means core, plugin and theme updates every time an update is available. You can find what needs to be updated in the admin bar at the top of your site when logged in as administrator or on the Updates page in the admin area of your WordPress site.
There are many other things your can do to reduce risk that are mentioned in that article. I recommend doing them all!
If you would like more help keeping your site secure or if you've been hacked or attacked, let me know here. I can help!