is a hugely popular content management system that started out as a blogging platform and has evolved into much more. Millions of websites are built on WordPress today with more being built every day.
As a result, WordPress security has become a large and very important issue.
WordPress is a Hacker’s Delight
Because of its popularity, WordPress now has a huge bulls eye on its figurative back and those with nothing more positive to do with their time are actively looking for ways to exploit security flaws.
Being in charge of WordPress security these days is like being the defensive coordinator for a football team. Not only do you have to correct the defects you know about, you have to try to anticipate what the opposing team (the so-called “Black Hats”) is going to attack next. In short, you must react to threats as quickly as possible while trying to prevent new ones.
Apparently, the IT folks at Thomson Reuters lost sight of that fact, as reported in a recent story in the CIO Journal. The company was still running version 3.1.1 of WordPress which is woefully out of date. The current version is 3.4.1 released a few weeks ago.
In the many months between the release of 3.1.1 and the current version, the WordPress development team found and fixed many security flaws. More importantly, the Black Hats have known about these flaws longer than that.
In my opinion, there is no excuse for running that old a version of WordPress on a public-facing site, especially one with as high a profile as Thomson Reuters. It’s one thing to be a version behind, but three?? More if you count the minor patch releases. The only surprise here is that it took the Black Hats that long to hack the site.
Have You Updated?
Okay, before we bash the Thomson Reuters people further, let’s have a show of hands. How many of you WordPress users are still seeing when you log in to your dashboard the yellow banner that says “WordPress 3.4.1 is available. Please update now”? I guarantee the number is higher than it should be.
Go do that update now while you’re thinking about it. I’ll wait…Done? Great!
I understand the reluctance to update the minute an update comes out. I have been burned enough times by flawed updates that I approach them with appropriate caution. Updates to WordPress are tested on non-production sites before being applied to live sites so that any obvious problems are spotted right away.
As a matter of policy, I do not update to major releases until the first patch appears. For example, when 3.4 came out, I held off updating until 3.4.1 appeared a couple of weeks later. Inevitably, the first patch contains bug fixes and security fixes that are shaken out in the field after the major release.
This is not in any way meant to disparage WordPress software or its developers. WordPress is a fairly complex software framework that not only has to perform its core functions, but must also provide a platform for countless themes and plugins coded to various degrees of quality.
Any software of that complexity is going to have bugs and security flaws. It’s a fact of life and just something we deal with because it’s not possible to get it perfect.
So, the aforementioned football game between the White Hats (us) and the Black Hats (them) goes on ad infinitum. It only makes sense to have the best protection possible in place as soon as practical. You wouldn’t play football with a leather helmet these days, would you?
What can you do to protect your site?
Obviously, step one is to keep WordPress and any plugins and themes updated to a very recent, if not the latest version. The next important step is to maintain current backups of your site.
Backing up WordPress requires not only backing up the database, but the plugins, themes and media files, as well. There are plenty of plugins available to automate the process so that you can set it up and have it run periodically.
For my clients’ sites, I run a daily database backup and a weekly site backup (including the database) and store those backups offline in Amazon S3 or another similar service.
For all the talk about backups, there is too little attention paid to the other side of the equation: restoring from the backups. Backing up is great, but unless you have tested the backups periodically to be sure they will restore properly, you’re leaving yourself open to the possibility that the restore will not work when it’s needed.
The last thing you want is to discover your backup is flawed right after your server has crashed!
Backing Up Your Site
For my clients, and my own sites, I use BackupBuddy from iThemes. There are a number of free WordPress plugins for backup. However, I have yet to find one that works as well as BackupBuddy for the two most important functions necessary: backup AND restore.
In addition, BackupBuddy has the ability to migrate sites from one domain to another which makes it ideal for restoring backups to test sites to verify the backups. This avoids having to restore to your live site to test the backup, which is a Catch-22 if you think about it.
To review, keep your WordPress site up to date and keep it backed up. These two steps will keep you as close to 100% security as it’s possible to get.
John Sawyer is The Small Business Website Guy, an IT professional with over 30 years’ experience in software and web development. John specializes in developing and maintaining websites built on the WordPress platform. His mission is to provide technical services to businesses and individuals who would rather run their business than mess with their website.