According to market-leading security firm Securi (yes, the same people we use to help secure our clients’ sites), the first quarter of 2016 has continued the trends of previous years with WordPress websites coming under sustained attack.
As WordPress is the most popular content management system, it’s not surprising that it is being singled out in this way. However, it is worth noting that Securi reports that three of the most widely-used plug-ins are responsible for opening the doors in around one-quarter of all successfully hacked WordPress websites.
The three plug-ins are RevSlider, Gravity Forms and TimThumb. Of these RevSlider is suspected of being the way that hackers managed to uncover the financial papers from the world’s fourth biggest offshore law firm Moassack Fonesca – the so-called ‘Panama Papers‘.
Now, there’s no need to panic if you know you have these plug-ins running on your site. So long as they’e been regularly updated, any security gaps will have been closed.
The problem is, however, if your Theme designer embedded earlier versions of these plugins directly into the theme code. If so, then you are relying on the Theme designer to regularly update the software every few months to close the security vulnerabilities. Many will, but some won’t. Because of the way they’ve embedded the codes, there’s no easy way for you to update them either. Fortunately, this web theme design practice has largely died out, but if you have an older theme, it could be worth checking when it was last updated and, if that hasn’t been for a while, maybe considering a new look for your website!
When you create a new WordPress website it’s all too easy to get excited and start creating pages, posts, adding videos and all the other things you want to do to get your site up and running.
Would you like some free training on how to set up your WordPress site? Check out our Video Course by clicking here.
But before you start, there are a few simple things you can do to improve the security of your WordPress website.
- Choose a name other than ‘admin’ as your username. Hackers will often trawl websites looking for an easy way in. If you continue to use the default username, that will be one less thing they have to ‘guess’.
- Make sure your password isn’t something that lots of people use or that you use yourself on other sites. You’d be surprised how many passwords chosen in 2015/16 included the phrase “StarWars”! Use a password generator from someone like Norton Security to create random strings of letters, numbers and special characters (such as ?>/ etc).
- When you’re deciding on a funky new Theme for your WordPress website, make sure you’re downloading it from a reputable source such as WordPress’s own Theme Directory, Themeforest or from a well respected developer.
- Plugins are great for increasing the range of things your website can do. But again, make sure you know where you’re downloading them from.
- Check your computer’s firewall. Often these come bundled with your computer’s operating system but, if not, you can purchase one from security software firms such as McAfee, Norton or Kaspersky Lab.
Once you’ve done all that, head off and enjoy your new website. You’ll need to keep things up to date with the latest security patches for WordPress, Themes and Plugins of course but the important thing is to have fun creating your new masterpiece!
Mobile websites are becoming increasingly important as more and more people turn to mobile devices for their internet search. Google is continuing to favour websites that are responsive – changing to be easily visible on mobile devices as well as desktops. (more…)
Yoast’s WordPress SEO plug-in is one of the most popular, having been installed over 1 million times into websites around the world. So when a security vulnerability was discovered, it was time to take action. (more…)
Software updates for plug-ins, themes and the core WordPress platform itself are issued not only to provide new and exciting functions, but also to protect your website from attack.
Underlining the seriousness of the issue, WordPress.com has disconnected anyone who hasn’t updated their Jetpack plug-in, according to eweek.com. (more…)