Cr(h)acked: The Concrete Security of WordPress

When we poured concrete in our barn, the contractor said there are two kinds: Concrete that has cracked, and concrete that will crack. Apparently if we just change the word cracked to hacked, the same can be said for WordPress websites.

Knowing this, why was I surprised when back in January my site was invaded by some beastly no-life? Someone who could’ve easily applied such skills to things more productive. Upset? You bet!

(It’s okay…take a deep breath…things have since worked themselves out…)

According to Sucuri Remediation Group, of the 34,371 infected websites it analyzed in 2017, 83% were built on the WordPress. Of course, there are statistical considerations: WordPress is now powering 30% of the internet and the number of sites on its platform increases every year. Even though I sometimes contemplate moving mine somewhere else, I’m always drawn back to the ease and convenience of WordPress.

So, if I’m not setting up shop elsewhere, then I personally must take responsibility for my site’s well-being. The Sucuri team agrees. It’s research showed hackings were more the fault the webmaster than the WordPress framework.

With that in mind, here are a few of the practices I’ve taken on with vigor.

Moved my website to HTTPS

As of this month (July 2018), Google Chrome has begun flagging all HTTP sites as insecure. To avoid this, I moved my website to HTTPS by installing an SSL Certificate (Secure Sockets Layer). This acts as an encrypted security between the web server and browser.

I purchased the SSL Certificate from my host provider and installed it from the AutoInstallSSL in my cPanel (your host provider can help you with this). I then went into my WordPress settings and changed my website address from HTTP to HTTPS. I also installed the WordPress plugin Really Simple SSL, which automatically made the necessary configuration changes to all my site’s pages.

Overall, the process was fairly straightforward.

Installed a WordPress security plugin

There are plenty of effective WordPress plugins that provide security from known threats. I chose Wordfence and use it to regularly scan my files for infection. It sends me an email whenever I log into my website administration and would also email if anyone else did, like say a hacker. It also notifies me when plugins need to be updated.

Speaking of plugins: I’m keeping them current!

Sucuri’s research shows the most common way hackers get into WordPress sites is through out-of-date components: plugins, themes and installations. I’m embarrassed to say I was guilty as charged. Call it a classic case of the shoemaker’s children having no shoes—while I was busy keeping my client’s websites current, I let my own fall behind.

Now I obsessively update my plugins. I’m demanding the same of developers as well—if a plugin or theme hasn’t been refreshed by its creator in the past 12 months, I won’t take the chance of using it. And if I’m not using it, I delete it. As for my own creations, I previously had test folders that sometimes sat empty and unused. Not anymore. Basically, I’ve decluttered my files as thoroughly as Marie Kondo does her closets.

Privacy Policy: Protection of a different nature

A privacy policy details what personal information you collect from your viewers, how you use it, and how you keep it private (here’s Adunate’s privacy policy).

Does your site need a privacy policy? It depends. Google “privacy policy requirements in U.S.” and you get a myriad of answers. Basically, to play it safe, if you’re a business and you collect data from your viewers, you should have a privacy policy. If you’re collecting money, don’t even think of going without one.

Don’t know where to start in writing your own privacy policy? There are plenty of templates online to help. Here’s one from the Better Business Bureau.

And now…drumroll, please…may I present Adunate’s New Website!

As I said, in the end things worked out well for my website. After weeks of back and forth with my host provider and continued cleansing of my files, I finally just scratched the whole thing and rebuilt it. This proved to be a good thing—I was long past giving my site its biennial overhaul and it was ready for a new look. It now comes with an https in its address and a cute little padlock.

I was also able to catch up on the latest and greatest of WordPress; including StudioPress, producers of WP themes I’ve purchased and customized. This, of course, enables me to better serve my clients.

Best of all, each time I redo my site I get a greater sense of the real Adunate—and that’s who you get when you hire me as your contractor. I’d love to help show the real you in your website.

Let’s talk!

2 thoughts on “Cr(h)acked: The Concrete Security of WordPress”

Leave a Comment

error: Content is protected !!