Now that we have a good understanding of some of the most common WordPress mistakes, let’s focus on the security aspect. Today’s post will be dealing with one of the most undermined aspects of maintaining a WordPress website – security. Specifically, we will be talking about how some misguided actions from the users (that’s us), lead to disaster.
Instead of telling you “this is wrong – don’t do this”, I’ve tried to highlight the dangers and the consequences of each action. Be it not updating your WordPress site or downloading pirated themes, these are the common security mistakes one must avoid.
11. Ignoring WordPress Updates
It is of critical importance that you update your WordPress website(s) as soon as they become available. Here’s why:
- Everyday new bugs, vulnerabilities and performance improvement tips are discovered and reported by a global community of developers. These suggestions are reviewed and incorporated into a future release of WordPress.
- If the vulnerability is server enough, then an immediate update is released.
- With every major WordPress release, exciting new features like the awesome image editor (which by the way, lets you crop and resize images on the go) are also introduced. For instance, take a look at the awesome features introduced in WordPress 3.9 and 4.0.
What happens if I don’t update WordPress?
- Ignoring WordPress updates means not rectifying known or identified security loopholes. This does nothing but makes the hacker’s job easy. What happens thereafter? Find out in the next heading!
- You miss out on a load new features and performance improvements updates.
Consequences of a Hacked Website:
Let’s take a look at a few consequences of a hacked WordPress website:
- Your email list (one of the most crucial assets of any website) is stolen and bombarded with spam. To make matters worse, this email list can also be sold to other “black market” buyers.
- Your site can also be infected with malware. This in turn will infect anyone who visits your site. The worst part is when you don’t know that your site has been hacked – this causes the maximum damage as it gives you an illusion of safety.
- The effect of a hacked site is most disastrous when you run a membership site. People who pay to view your site’s content get their PCs/devices infected and their privacy violated.
- Once Google identifies your site as a malware infected domain, your search engine rank falls through the roof. Recovery from a blacklisted domain is an incredibly painful and expensive process.
- Sometimes people may even need to stop their business and go for a whole new brand!
- In short, once hacked, your site’s reputation and all future prospects is unrecoverably destroyed.
The obvious remedy is updating your WordPress site on a proactive basis. Thanks to the new Automatic Background Updates feature (which was introduced with WordPress 3.7), people don’t have to worry about updating their site. WordPress takes care of it in the background.
If you’re on a Managed WordPress hosting services like WPEngine, you’re already experiencing the one of the finest WordPress services in the industry. Not only does WPEngine automatically update your WordPress core, the updates are fine-tuned to their server’s specification and security measures, so that you get every last bit of performance and security boost.
If by an unfortunate turn of events, your site does get hacked, then I would recommend hiring professional WordPress security developers such as White WP Security or Sucuri to clean it up. Oh and did I mention WPEngine also gives you a free hack clean-up?
12. Pirated Themes and Plugins
Let’ face it – for every new theme or plugin released in Themeforest (or any other major WordPress marketplace for that matter), a pirated or “nulled” version of the product is available in many sites for free.
Why do you think somebody would buy a $75 theme and give it to you for free?
Some of you might be aware that these pirated theme/plugins aren’t hosted in Themeforest. They’re hosted in file-sharing services or “cyberlockers”. I’ve mashed up a little introduction to such “cyberlockers” if you’re interested.
The 411 on Cyberlockers:
- Cyberlockers are services that host your files for free.
- Their main source of revenue include ads and premium accounts.
- The ads are displayed on the file’s download page.
- Premium accounts give the downloader advantages such as faster/uncapped download speed and zero “waiting time” before the download.
- Some cyberlockers also pay “uploaders” a miniscule amount of $2-5 USD, for every 1000 downloads a file receives.
- The bad part: Certain cyberlockers display malicious ads which carry a host of malware. Their “download” buttons are intentionally misleading to trick you to clicking the malicious advertisement.
- They also include many pop-ups and pop-unders which wreak havoc to your system if proper antivirus isn’t installed.
These are jus a few of the dangers of downloading from a cyberlocker. Of course this doesn’t mean that everyone uses cyberlockers for illegal purposes. MediaFire is an excellent example of a good file-sharing service and is used by millions for legitimate purposes.
Getting back to Nulled WordPress Themes…
If you were to calculate revenue generated from these dishonest means, you’d find that the business isn’t profitable. The risks involved are far greater than the ROI. So one must ask – what’s the catch?
Rest assured, there is one. And it’s a nasty one too! The ultimate reason behind uploading nulled themes and plugins is to inject malicious code in your website. This creates what hackers and exploiters call “backdoors” in your server. Once a hacker gains entry in your website, you know the endless possibilities.
Moral Police, Standby…
This is the very reason why you should never install nulled/pirated themes and plugins. Developers put in several hundred hours of work, developing, maintaining and updating their product. I don’t mean to preach, but the next time you download a product for free, just put yourself in their shoes and see how you’d feel.
13. Free Themes from Shady Sources
Just like “nulled themes”, there are a few “free” WordPress themes that appear to be harmless. I’m not referring to the thousands of themes in the official WordPress theme repository. All the themes submitted in the repository undergo a strict selection criteria, which, rest assured, involves scrutiny for harmful code.
I’m referring to the ones you find in the never-heard-before websites, offering you “free beautiful WordPress themes”. There have been incidents where these “free themes” were loaded with malware. As a rule of thumb, download free themes from:
- WordPress Repository
- Reputable sources such as WPExplorer or WooThemes
- Popular themes stores that offer certain free themes
14. Not Disabling Directory Browsing
This is not so much a security loophole, as a precautionary measure. Directory browsing simply refers to process browsing the contents of the folders present in the web root directory. You should disable directory browsing for a number of security reasons. Please check out this tutorial, where I’ve discussed these issues and outlined how to disable directory browsing in WordPress and a few other tips!
15. Not Installing a Security Plugin
Finally, we have the highlight point of this post – a security plugin. I’ve already talked a lot about security, the consequences of getting your site hacked, etc. Today, I’d like to point out a few key terms.
- There are plenty of known and unknown vulnerabilities when it comes to WordPress
- A lot of them depend on your hosting environment and the way you installed WordPress.
- Addressing each of these vulnerabilities is a tedious task to say the least.
- Moreover, a lot of WordPress users don’t have the technical background required to process and implement the security measures.
This is why we recommend a security plugin. Let’s take iThemes Security for example. The plugin addresses all the aforementioned issues and keeps your site secure.
You can pay a premium for added security measures, which are usually necessary for membership sites. Once you start generating revenue from your online business, it is a good practice to:
- Shift to a managed WordPress hosting environment
- Subscribe to a premium security plugin such as iThemes Security Pro
Here’s something you’ve heard time and again –
Prevention is better than cure.
I think this is a fitting quote to conclude today’s topic. Securing your WordPress website should be done on a proactive basis. With so many issues and rectify, and new one popping up every now and then – one must have a strong technical background to make sense of it all.
But WordPress is for everyone. It shouldn’t be difficult. Ask yourself –
Do I spend most of my time on content curation and promotion? Or do I worry too much about the site’s technical aspects?
If your answer is the second one, you know it’s time for a change. I would recommend shifting to a managed or a “semi-managed” WordPress host like WPEngine or SiteGround. The beauty of SiteGround lies in the fact that they have managed WordPress hosting packages starting from $10/mo. Plus, there’s an introductory 60% discount for annual plans as well. As for WPEngine, you already know the benefits.
Next week, we’ll explore a few more of these WordPress beginner mistakes! So stay tuned my friends!