New website clients often ask me how secure WordPress is. I realize that the question of WordPress security has been addressed by many writers and web consultants. You can find numerous technical articles dealing with the subject — like this one offering tried and true WordPress security tips or my post on basic WordPress security.
The simple fact is that WordPress security remains a concern mostly due to its popularity and the vast number of neglected, outdated, unprotected WordPress websites. It’s hard to secure WordPress in a contaminated environment.
Real World Efforts to Secure WordPress
Regardless of your position on how secure WordPress is, here’s a sample of my own real-world experience.
Over the past couple of weeks, I’ve spent way too many hours dealing with some persistent malware on a WordPress website that shared server space with a few other non-WordPress websites (Joomla, HTML).
I have been keeping WordPress and all plugins updated for about 6 months. I had pretty tight security settings and kept a close eye on the website.
Nevertheless, one day I noticed that the site had been flagged by Google as potentially harmful. The dreaded Malware alert notice.
Not good.
That means many visitors would turn around an look elsewhere.
That means my client starts losing money.
Not good.
Was it a WordPress Security Vulnerability?
My first inclination was to move the site to a new, dedicated hosting environment. Why? After looking at a few things, I concluded that the WordPress site was being contaminated by one of the other (older and neglected) websites on the server. No matter how hard I worked to update and secure the WordPress site, as long as the other sites remained vulnerable to attacks, the site I manage would continue to be infected.
Think of it in human terms. It doesn’t matter how many vitamins you swallow, how well you eat and sleep, or how much you exercise, if you continue to share 24/7 living space with someone with a highly contagious illness, you’ll eventually get sick too.
Unfortunately, I could not prove that the vulnerability was due to another website on the same server. In fact, the other sites I was suspicious of were still live and had no malware warnings. Still, I figured that if I could get the WordPress site to a secluded hosting environment, I knew I could clean it up and stop the malware from seeping in.
However, the client preferred to keep the site where it was. Which is fine. They engaged SiteLock’s services to cleanup the site (I usually use Sucuri, but I’ve heard that SiteLock is reliable too). SiteLock scanned and cleaned the WordPress site, I changed passwords, updated plugins, and re-secured the site. But the next day, the malware returned.
SiteLock then proceeded to scour the other non-WordPress sites on the server and found some old scripts that were acting as backdoors for hackers.
My suspicions were gradually confirmed by SiteLock’s engineers.
We removed some old sites from the server that the client did not want, and cleaned up the others.
This was not an easy process.
And I still need to keep an eye on things because I believe the server environment is not the best setup. The hosting company is fine. I have no beef with their services. But once you have a backdoor open, there’s going to be risk for a while.
Bottomline…
When you set up your WordPress website, be sure to start with security fundamentals. Be willing to pay now (and small amounts each month) rather than risk losing business when your site goes down.
Yes, I said when, not if.
It will happen. Is that because WordPress is inherently insecure? Not at all. In fact, it is not difficult to maintain a secure WordPress site. But it does take a conscious effort.
The cold hard facts are that there are new WordPress security issues arising almost daily. To even hope to stand a chance of fighting them, you have to start with the basics. A good hosting environment and consistent maintenance will go a long way to establishing a secure WordPress website, one that is healthy enough to resist the majority of threats and malware.
About Steady Digital
We provide a WordPress maintenance plan to ease concerns like:
- Is my website performing at peak performance so visitors get the best experience possible?
- Do I have regular backups of my website in case something happens to my web server?
- What if my website gets hacked?
- How can I get up-to-date, professional training so I can use my website better?
- Who can I trust to do the updates that are beyond my technical or creative abilities?
Tired of trying to maintain your own website? A WordPress maintenance plan might be the solution for you.