Don’t Get Hacked! WordPress Security Issues You Must Know About

Good morning internet fans, it is Thursday, February 12th, 2015. It is Internet Marketing Thursday, and as usual, I have the beautiful and talented Virginie Dorn with Business Website Centers on the other side, good morning, Virginie.

Virginie Dorn: Good morning, Ryan; you’re beautiful and talented as well, I wanted to say.

RP: Well, thank you, thank you, it’s the blue eyes.

VD: Yes.

VD: Good morning.

RP: Today, we’re going to talk about internet security, and it’s basically… It’s something we’ve talked about; it’s been a few months now, but I cannot tell you the number of sites I have either personally had to deal with, or I’ve heard other people dealing with, and we’re talking multiple people, that have been hacked in the last month. It’s like there is a crazy virus going around, and I don’t think it’s just the RevSlider, I want to say three… Gosh, it’s been over a month I’m assuming, RevSlider is a plugin that had a vulnerability in it, and people that didn’t update that plugin were attacked. But the problem was, it actually went through the server, so if you’re on HostGator or GoDaddy, it actually kind of multiplied throughout the servers and caused a lot of issues. So, today we’re looking at you as a security expert; you are the ultimate coder. And what are some ways, and specifically about WordPress that people can protect their sites? Some simple things, some free items, and some items that cost money and those type of things?

VD: Sure, it would be my pleasure. So, first, we’ll start with the easy things, always make sure you’re using the most up to date version of WordPress. Now saying that, if you have a very outdated version, you may want to do a full backup of your website before updating it, because some people have not updated for maybe three, four, five versions. You should always be up to the newest version. That’s why we release new versions; usually it’s to address security issues, nothing more. So that, and also for plugins, each of your plugins on your website should be updated to its newest version. So, go to your updates; it should let you know how many updates you have to do. Just click “update”, it only takes seconds, maybe a couple of minutes, and that will add extrememely… A big level of security to your website.

RP: Okay, let me go back real quickly, ’cause you mentioned if your WordPress is… Maybe it’s been six months, a year, since you can even recall updating your WordPress program, you recommend doing a full backup, why is that?

VD: Well, sometimes things might break on your website, maybe the forms will stop working, or some other major items, so you might have to revert back and get a programmer involved, but if you don’t have a backup, you can’t revert back. So again, WordPress version should be updated every time you get a notification. And by the way, in your WordPress admin center, there should be a place where you can be notified, there’s a check mark, I forget where it is, where you can say, “Notify me.” There’s also now an automatic update version, though it’s kind of scary, maybe on really big websites, you might not want to choose that option, but if you have a very simple, easy to use WordPress site, that’s totally acceptable.

RP: Yeah, I know for me I use HostGator as my primary hosting platform, and any new WordPress site that gets loaded the default is automatic updates. And part of it is to… They are trying to protect themselves, because I had a client’s site who was hacked. I wasn’t… I built it out, but I wasn’t managing it. And it was interesting because on a desktop it looked fine; there was no issues, however on mobile devices it was being forwarded to other websites. And it wasn’t related to RevSlider; it was related to another plugin, but because of all the damage that the RevSlider caused, they were totally overwhelmed, and so we had to go to a backup in order to fix it. So, having those backups is very important. And there’s simple plugins like Backup Dat… Or BackupBuddy, that can do backups. And then we were talking offline before the show, that if you have cPanel, you can actually backup all your websites on cPanel which is really great.

VD: Yeah, and you can set it automatically. So, some client’s will do it daily, some others weekly or monthly, so it’s done even when you’re sleeping. Once in a while though, you want to take those backups and put it on your local hard drive on your local computer, because again if there is a server infection, or someone goes to your server and deletes everything, they’ll delete the backup as well. So, you want them on the server, but you also want it somewhere on your little computer in your office.

RP: Right. And the great thing about backups is, once it’s setup and it’s automated, you don’t have to worry about it anymore. I get backups emailed directly to me, so I always have backups on my computer, plus on the server.

VD: That’s perfect. So again, remind everybody, update your WordPress, but also update your plugins. The truth of the matter is, the plugins are the place where viruses go. They are just so easy, especially the free plugins, anything free, sometimes I’m a little worried, so make sure they’re updated. And if you have a bunch of plugins you are not using, delete them. They’re very easy to reinstall; you’re taking a chance by having them there, especially the free ones. So again, update versions of WordPress and plugins as well. Then we can continue down the list, some very easy things people can do is make sure username and passwords are very strong. Don’t use admin even for the username, and I know it’s the default for WordPress, but find a way to change that. Depending on the theme, I think you can either do a plugin or you can have your webmaster do it, but just something elaborate or special…

RP: I was going to say, the workaround that I do is when I… Admin’s default. You go in. I just create a new user, create a custom one, and then I delete the admin, and the big issue that people are wondering, “Well, geez! Why do I need to delete the admin; it’s already there. It’s set up. Yay!” Go and check and see if that’s what you’re using, and the problem is all the hackers know because WordPress is probably the largest platform in the world, I’m guessing, has to be, for developing websites. All the guys that are hacking, creating viruses, are looking for… You always go to the top; you’re always trying to knock down the big dog and any vulnerabilities that are there. Well, if they already know what your username is because the default username is admin, you’re making their life that much easier, and that’s why it’s really important to change from admin to something else, and again, you can just go in, create a new username, set it up when you first create the page or even now, just go in, create a new username. That way you still have admin rights to your website, and then delete the admin username.

VD: Yes, and if you had security breach in the past on your WordPress website, on that log in page, when you go into your admin center, you have username and password, you should add a CAPTCHA as well, so that’s again another level of security it can add, because infiltration can be happening through that login page.

RP: Right, and the reason for a CAPTCHA is why? Because typically, it’s not somebody on a keyboard just randomly looking at websites.

VD: Yes, absolutely, it’s a script and script, if it’s a visual CAPTCHA, won’t understand it, won’t be able to read it and make sense of it, so it won’t be able to penetrate that way.

RP: Right. So if it’s just a computer program that’s just going out and looking and trying to attack your website, that’s where you need that visual interface, and including a CAPTCHA is a great, great idea. In fact, that’s another level… After our conversations, I went to SSL. I’ve already added SiteLock, and it’s like, “Alright I need that CAPTCHA now.” So these are all really important pieces that should be building on themselves and the reality is security risk, security breach, on the internet is becoming more prevalent, so we need to be pro active. For most business people, that business website is your credibility; it’s your identity; it’s your marketing; it’s your branding. It’s a lot of things because everybody is going to be looking at your website even if they’re a customer or prospect, they’re always going to go there, and if your website’s been hacked, it’s not going to look good, and especially, if you lose all your files, and you have to rebuild a new website, and your website’s down for a month, I mean just think about the consequences of what could happen and just spending a little time now can make a huge difference later on.

VD: Yes, and you know, I believe there is cyber insurance nowadays. I’m not sure depending on insurance company.

VD: It does cover a vast variety of things, but if you’re a big company, you should have cyber insurance, by the way.

RP: Yeah, I didn’t even know that existed. Alright, so after CAPTCHAs, what are some other items? How can we kinda ramp up the security? I kind of fell in to one which was SiteLock.

VD: Okay. Well, there is a few things, but before that just make sure you don’t get one of those free themes, you get somewhere obscure. Any kind of like a trusted source, that’s where you want to buy your theme; otherwise, they come with a virus, and sometimes we call it a dormant virus. It stays there until someone, who knows where, activates it, and all those websites get hacked, so it could be through your theme. So now taking it a step further is when… Typically you have your website developed, there are different access that are created to your server. We call it FTP access, maybe database access, and there’s several of them. When the website is done, you want to make sure, and maybe it’s little bit hard for a website owner to know how to do that, but to remove all those extra FTP access and just delete them. They’re no longer needed; they create more security risk, and same thing for the databases, you should be left with just one for each, and again, it’s a little difficult. It’s a little higher, more technical, but if you have a good webmaster, you should remind them, “Hey, can you make sure I only have one FTP and one database access left?” And they can help you.

VD: I mean, other things we talked about, SiteLock, I’m a big fan. It scans your website, will tell you what security breach you have on your WordPress website. I’ve worked on little things like even Akismet for spam control. I mean if you’re getting tens of thousands of spam comments, there is something very like somehow there is a breach in your… Your site is being targeted so having a good spam control is going to help you block off those unwanted notices.

RP: Alright. And Akismet, technically it’s free, most people, if you’re running a business, at least throw five bucks their way when you set up the Akismet account because it’s going to help; it’s going to save you a tremendous amount of time by keeping spam off of your site so there’s a lot of value to it.

VD: Yes, I didn’t even know it was free. I always paid $5 per website.

[laughter] But…

RP: I think they have a personal use, and if you go personal use, then it’s free, but technically, businesses are supposed to pay at least a couple of bucks so.

VD: Yeah, please do. They do a lot good. So, and truly the beautiful thing about WordPress is the plugins, and the easy way to add them and make them work on your website. There are lots of plugins that address security concern on a website. And if you’re going to add them, I would look for one that actually asks for money. A reputable company even says, “Oh no, it’s $19 a year, and you can have our plugin. Again, we’ll send you updates of better version addressing new concerns.” If you get one of the freebies, they’re not going to be as likely to help you in the future. It might be good for a couple of weeks. So search it, go to your plugin section in your WordPress, look for security, firewall. There are tons of them out there that are all very good quality and again, finally, it might… Just buy one, don’t get a freebie. It’s way too important to the security of your website. Okay.

RP: Yep. Sorry. The other thing I wanted to talk about was SSL because it says security right in it, and that was something… Gosh, when we talked about security a while back, we talked about getting the SSL certificate on your website so that when somebody types it in, it says, HTTPS, S for meaning it’s secure. Now, is that going to provide the website itself, the database, is that going to protect it from hacking or anything like that?

VD: Not completely. It will protect your forms and your login page so anytime there is an information transfer between your website and the database like logging in or updating the file or sending you a contact form, it will encrypt that information. So it is an important level of security, but not enough to cover all of the other pages wherever breach can happen. So it’s…

RP: Yeah, exactly.

VD: Something most have, but not enough.

RP: Right, yeah, and I think the key thing that we were talking about when we originally talked about it is that Google… It’s one of those criteria that Google looks at from an SEO point of view, not a huge criteria. From Google’s point of view, however, it is one of the things that they’re looking at. So adding SSL to your website is very good especially if you’re transferring a lot of information back and forth like you mentioned forms. When somebody fills out a form on your website, that information has to be sent from yours… From the client, whoever that user is, to your website and by securing that information, it’s locking it. Typically, it’s always used or should always be used whenever time you’re doing credit card transfers and those type of things.

VD: It should always be used. When you’re doing credit card transfer, it is, yes. I wonder if it’s even a law. It could be a law or some regulation, but you should have an SSL if…

RP: Yeah, I would hope so by now. It is 10 O’clock so we’re going to have to cut this off here. I think we’ve provided a lot of valuable information. Number one, number one, number one, like you said is make sure that your WordPress is up-to-date. If it’s not up-to-date, and you’re a little concerned about updating it and possibly break into site; you don’t know how to do back-ups, Virginie Dorn is an expert at this now because of all the issues that she’s had to deal with. I’m becoming an expert because of all the issues I’ve had to deal with. If you already have a Webmaster, ask them.

RP: A lot of companies are also starting to provide updating services. So it’s a service that I’ve offered. I’m sure, Virginie, you offer it also where for a small fee every month, we will actually go in, update the sites, make sure all the plugins are up-to-date, make sure that WordPress is up-to-date, do all the back-ups. It’s a nominal fee per month, and if it’s something you don’t want to deal with, it’s something you should talk to your webmaster about. It’s very, very… Very, very important, and it’s becoming more important as numerous websites… I mean numerous websites have been hacked in the last month.

VD: Yes. I think it’s over 100,000. It’s like a huge number, it’s…

RP: That was, yeah, and that was just the RevSlider. I mean RevSlider infected over 100,000. You’ve got all this other stuff that’s going on; it’s just crazy. So anyhow, we got to go. As always, I appreciate your time, Virginie, and we’ll be talking next week.

VD: That sounds lovely. Take care.

RP: Thank you. Bye.


About the Author:

Ryan Perry is the founder and CEO of Simple Biz Support, Inc. Ryan started video blogging in 2009 as an alternative to written blogs to create visibility and credibility online. During the workweek, he enjoys helping small business owners harness the power of video to grow their companies. On the weekends, he enjoys hiking and searching out waterfalls throughout the state of California.

Leave A Comment