As a web guy, I see a lot of good and bad when it comes to website and online presence. Today, I want to share some good so that you can avoid the bad.
If you’re using WordPress, there are some things you need to be aware of.
Using WordPress to build your website has been proven to be the most economical. That is why It has been estimated that Word- Press powers 39.6% of the websites on the internet. There are ap- proximately 64 million websites built using WordPress, with over 400 million people PER MONTH visiting those sites.
In addition, there are over 50,000 WordPress plugins to enhance those websites—not to mention the 1000’s of themes that are available to make your site look good, as well. Furthermore, it is said nearly 1,000 WordPress sites are added DAILY.
You may ask, why is all that important? It’s to bring to light to the sheer numbers of possibilities of things that could affect your WordPress-built website.
Much of WordPress source code is open source, as are the plugins and themes. Open source simply means the code that makes all of this work is open to anybody and everybody.
Why Does That Even Matter to You?
To the average website owner, that means nothing really but let me enlighten you to explain where I’m going with this.
While it’s a good thing the source is available, it also means that people that prefer to do things illegally (AKA hackers) also have access to that code and are constantly looking for security holes in the source code to allow them to access your website.
Yeah, I know you’re thinking, “my site has nothing of value a hacker would want so I don’t need to worry about this” Nothing can be further from the truth. That can actually make you a prime target.
Hackers sometimes will target smaller sites because they have a better chance of not being kept up to date or maybe even under- stand what is needed to keep the site secure.
It’s not about the content on the site really; they just want access to your website storage space and resources. They will use these resources to build what is called a phishing site hidden on your website.
Many of these are created and run without the website owner even knowing, and hackers are betting that you won’t notice.
If you’re unfamiliar with the term phishing, I’ll clarify just a bit. As I mentioned earlier, these people will gain access to your web- site and install a page or pages. These pages are designed to look exactly like the site they are trying to mimic, generally credit card companies, banks, or other financial institutions. For example, they may add a folder to your site called Mastercard. This page would look exactly like a page that Mastercard uses. Same colors, logos etc. In this case, the page has a reset password form with the fields first name, last name, old password and new password.
They then start sending emails from your server to a list of emails that they’ve acquired which has a message something like, “We’re sorry to inform you but your account has been compromised, and you will need to reset your password” with a link to your page. The link itself is usually hidden behind a button or text link.
The recipient of the email panics and clicks the link then fills out the data on the page. What they didn’t realize was that the hacker was “fishing” for their account details to login to their credit card site. Now the hacker can modify the account, order a replace- ment card, and go shopping.
This is Bad News for You
This can cause you a lot of trouble. I’ve never seen a site owner being charged with doing this kind of activity intentionally, but it will cost you in the long run. The card companies watch out for this kind of scam and will track them down if possible. Your Web host can and will suspend your website until you clean up and secure your website. It’s also possible that your website will be flagged or blacklisted from companies that monitor domains for email delivery causing your own email not to be delivered.
In addition, your website could get flagged by Google, Firefox, and other services and will show a warning page instead of your actual website. The warning page alerts the visitor that your site has potential harmful information and could be trying to steal data from you. So not only will you lose money from lost sales and lost reputation, but you will have to pay someone to clean up your site.
Sadly, these hackers don’t make it easy to get rid of their pages. Many times, they’re well-hidden and they infect other pages to keep you off the scent of the real problems.
What Can I Do to Protect Myself?
It helps to be aware of what is possible and not take it lightly. The biggest thing you can do as a website owner is to make sure your website backend is up to date. In some cases now, you can enable auto updates. I recommend checking at least once a month to be sure updates have been run.
Next there are free plugins you can add to your website that will assist you in keeping this kind of thing from happening. They can also scan your website to see if you’re already infected.
I recommend a couple of plugins that you can find as simply as going to “Add Plugin” in the back end of your WordPress site. Once there you can search for “WordFence” and “All In One WP Security”. Some people will use one or the other but I prefer to use them both together just for the added features combined.
Wordfence has a great firewall system that will help prevent harmful attacks from would-be hackers. It will bring awareness to how often your site really gets probed by different services and of course hackers. You can see in the stats what is happening. It also has great scanning tools to alert you if you have infected files as well as plugins and themes that are no longer supported. If you remember, I mentioned earlier this is generally one of the security holes hackers will find from plugins and themes that are no lon- ger kept up to date from the developers side.
All In One WP Security also has a scan feature but it scans for files that have been changed recently. Sometimes this can be flagged if you run updates so you should be aware of that. In addition, it has some really good features to lock down your site to make it even safer. Their setup is pretty intuitive to walk through and follow their instructions on changes you should make.
All Silver Level and up members of Marketing University, have access to a recent training I delivered on this very topic. I talk about these settings and other items you should be aware of for your website.
If you’ve read this far and are just overwhelmed with all of the above and don’t know where to begin, or maybe just would rather have someone else take care of it either on a one time basis or on a monthly maintenance program, I actually offer a service called WP Just Fix It (wpjustfixit.com) where our team handles clean up, monitoring, or even configuring the above plugins as well as other website services.
It’s important to remain informed on what can potentially hap- pen if you don’t maintain your website. It’s just like any other moving piece; it needs to be managed and inspected from time to time to keep everything running smoothly.