Last month’s hack of TicketFly’s website made national news, and for good reason. The company resorted to completely turning their online-based business, offline. And not just for a matter of minutes, or even hours. The damage took their developers days to fix.
What’s worse for TicketFly than the loss of revenue during the outage is the wounded reputation of their company. Thousands of existing customers have lost trust, and I’m sure many prospective customers who will now feel their data is safer with a competitor.
Billboard reported that the vulnerability likely came through their WordPress-powered website, which is how this particular story got my attention. Often something as simple as the WordPress “core” being outdated (or a third party WordPress plugin) can create an easy entry for spambots or hackers.
Should you be concerned with the security of your WordPress website?
I’ve seen some WordPress sites go several years without being updated, many of them with a dozen or two active third party plugins, which have also gone without update. Would I recommend this? Never. Do some websites get away with it? Absolutely. It could be a bulletproof server, or just sheer luck. Regardless, TicketFly’s woes are a good reminder to take the security of your website seriously.
It’s also important to remember that hackers are not always strategically targeting the big guys for financial gain. Quite the contrary. In the WordPress world, hackers are often creating scripts which are designed to scan tens of thousands of WordPress sites looking for vulnerabilities…. and scripts don’t discriminate, so just because you’re the local bakery down the street with two employees, doesn’t mean you’re not at risk like the ecommerce giants of the world.
WordPress is here to stay (now powering 30% of the entire web) but as I like to say “with WordPress comes great responsibility”.
My web biz first introduced a security plan in 2014 and it’s a great fit if you don’t have a full time developer or don’t have an IT team that’s well versed in WordPress. Shameless plug aside, you can always lessen the chances of a hack by following some common sense procedures:
• Keep your WordPress core, theme(s), and plugin(s) up to date. If it’s a security update, make sure to do it immediately, otherwise I recommend updating at least once a month. Always make sure to backup first, and check for compatibility issues after the updates (I personally do this on a test server so that I’m not disrupting traffic in case of an issue).
• Do not use any theme(s) or plugin(s) that do not have at least a 4 out of 5 star rating in the WordPress repository, with minimum 10K downloads. This is not an exact science, but generally there is safety in numbers, and you do not want your website to be the Guinea Pig for a less than reputable plugin or theme author. Also, if the theme or plugin hasn’t been updated in the last six months, I make the assumption that the author has abandoned development, which is a big red flag for me.
• Only host your website with a reputable hosting company. They’re one of the more expensive hosts, but you get what you pay for and I recommend WPEngine (and yes that is an affiliate link). I also recommend enabling 2-Factor Authentication with your hosting account login.
• Use strong passwords, change them often, and do not create more user accounts within your organization than completely necessary (and for the love of god, when an employee no longer works for you, remove their WordPress access!)
Not preventative security maintenance, but I also recommend:
• Uptime monitoring – Uptime Robot is my favorite tool for this.
• Running daily backups – both through your host / server, as well as to a secondary location such as your hard drive or in a cloud account like Dropbox.
The bottom line: WordPress is popular, and with popularity comes security risks. There’s lots of simple things you can do to minimize these risks, including keeping the WordPress core up to date, as well as your themes and plugins (and only using reputable ones!). The use of reputable WordPress-specific hosting is also a big step in the right direction.