Security of WordPress websites is an important matter these days. With 32% of websites being built off of the technology, it has become a large target for attackers. If an attacker is able to find a vulnerability in WordPress, he can attack a large number of sites without the additional work of finding new vulnerabilities on each website. Because of this, it is critical that you keep your WordPress site up to date to help defend against the latest attacks.
Typical Updates
The most critical component to keep updated is WordPress itself. Themes and plugins vary across different sites and you should update them. Plugins especially are commonly targeted. Keeping all of your site’s files up to date ensures it has the latest security patches.
Consequences of Lax Security
Almost all attacks are performed by computers, not humans. As soon as your website is online, computers will begin probing your defenses. If you are the unfortunate victim of an attack, here are some common outcomes:
- Your website pages may be injected with ads.
- Your user data may be compromised.
- Your server may be used to send spam.
- Your server may be used to launch additional attacks.
If your website is compromised, your web host will not be happy (I’ve been there!). If they detect anything malicious coming from your account, they will suspend it on the spot. If you have a previous history of good behavior, you may get away with a slap on the wrist – clean up the mess, update everything, and they’ll reactivate your account. However, you may be on the hook for additional charges, and your hosting company may refuse to do any more business with you. By launching attacks from their server, you’ve tarnished their reputation, which can lead to them being distrusted by big companies like Google. Oops.
Defender Plugins
An additional step toward increasing your site’s defenses is to use a plugin dedicated to the job. WordFence is great for what it does, but it does charge a high fee to do so. Defender plugins such as WordFence can detect and block repeated attempts to login, block entire ranges of IP addresses, and automatically scan your installation’s files for malware on a regular basis. You can often configure alerts to notify you when anything important (read: dangerous) happens with your site, so you can jump on top of the problem the moment it occurs.
Does My Provider Protect Me?
This is an all around hard question to answer. Since this is a service which has value to customers, providers who offer automatic updates or other security features will advertise this fact on their product pages. Both WP Engine and GoDaddy’s WordPress hosting offer automatic WordPress core updates. WP Engine goes a step beyond, by blocking many known attacks and other suspicious activity.
This is where most support stops. Plugin and theme updates are rarely offered as part of a hosting package. It’s a disappointment, but it makes financial sense. Plugin updates especially often come with changes that may cause your site to stop working as intended. WordPress plugins are often so interconnected and reliant on each other that if one plugin updates, another might have to update to continue working. It can also be a difficult task to decipher which plugins are causing problems after an update. As a final note, there are many plugins with subscriptions or other payment requirements. It’s impossible for your webhost to buy all the licenses for your site and every other, and then keep them updated on top of that!
But all hope is not lost. There may be no automated way to keep on top of all of the updates, but that is where managed support comes into play. You can have a consulting company (like us!) to worry about this for you. You can also purchase your licenses through them so that they will have access to the latest updates as they become available without you lifting a finger.
[ccc_inline_callout title=”Managing security giving you a headache?” content=”Get in touch to see how we can keep your site up to date, all the time.”]
Chris LaFay