Introduction
The focus of this week’s article will be website security. Is my WordPress site secure? Why is WordPress security so important? Why would someone want to hack my site? What can i do about it? In this weeks article, I will address some of these concerns and some common misconceptions about hacking and website security.
Brief history of the web
In the early days of the Internet, creating and updating a website required a general knowledge of HTML (Hypertext Markup Language). This ever-changing descriptive framework and the lack of standardization was notoriously difficult to work with. Due to these complexities, developing and maintaining a website would often cost thousands of dollars. With the advent of server-side scripting languages such as PHP and structured database storage known as SQL (Structured Query Language), this all changed. These technologies led to the development of Content Management Systems (CMS) such as WordPress. It was now possible for almost anyone with minimal technical experience to create a website. The journalistic design of WordPress led to people creating online journals known as weblogs, which eventually evolved into the word we are all aware of today; “blog.”
The rise of WordPress
By far the most popular CMS today is WordPress, as it accounts for more than 28% of all websites on the Internet, and this number is growing every day. The primary reason for the success of WordPress has been their focus on ease of use and the ability to extend features with plugins. This growing market share has led to some amazing plugins and themes. Not only is our website a WordPress site, but you might be surprised to find out some pretty large companies also use WordPress for their websites such as Walt Disney, Mercedes-Benz, Sony Music, The New Yorker, Bloomberg Professional, The Wall Street Journal, CNN, and even The Official Star Wars Blog.
Convenience has a hidden cost
There is no doubt WordPress has become the most flexible CMS available today. However, this convenience comes at the expense of security. In recent years, WordPress has made significant improvements in its security model, but poorly written plugins, outdated installs, inexperienced webmasters, and bad hosting still plague WordPress sites to this day. Today with hundreds of thousands of bots sifting through the Internet, an old install of WordPress or vulnerable plugins can be infected with malware in just a few minutes. WordPress has the potential to be a secure content management system if done right.
Hacker misconceptions
To most people, the word hacker conjures a vision of a nefarious evil hacker intent on defacing their website, but this is rarely the case. In fact, this type of “hacktivism” accounts for less than 4% of hacked sites. In reality, most hackers have a less known but equally damaging motive. Your typical website hacker will create an automated attack script or "bot" that leverages a specific vulnerability to install a backdoor on a website. They can then send this bot off to conquer the internet while they sleep. In no time the hacker will have access to thousands of systems all over the world. They can then use these sites to deliver malware to their visitors, which was the hackers target all along. Google blacklists more than 70,000 websites per week for malware, which can be devastating to a site. Google's blacklist destroys all SERP (Search Engine Results Pages) rankings you have spent years building. Another more recent, and fast-growing type of malware attack is SEO Spam, which can get you completely delisted from Google.
Defense in depth
The most important security concept for defending a website is what we call “defense in depth.” Put simply; we want to make sure every layer of service all the way down to the filesystem has both intrusion prevention and detection. In the event a system is compromised, this limited access minimizes the damage an attacker can do. Lastly, there needs to be sufficient logging and notification so that the system admin can take immediate action. As you might guess this is far easier said than done, and many system admins and hosting providers don’t follow this practice at all. Even though 96% of all website attacks are automated, the hacktivist is by far the most dangerous. In fact, it is often impossible to "completely" protect any Internet connected system from a sufficiently skilled, highly motivated hacker. However, by following best security practices, we can significantly minimize the damage a skilled attacker can do.
Managed WordPress
The idea of Managed WordPress is not a new concept. WordPress sites have security, scalability, and performance pitfalls that can cripple a hosting provider that is not specifically designed to handle these types of problems. Managed WordPress is quickly becoming more popular as people realize their $5 a month hosting provider is not equipped to deal with the specific needs of their WordPress site. Recently some of these enterprise features that would have cost thousands of dollars before have become more accessible to the average blogger. Our goal at Christian Host is to provide our customers with all the security and performance benefits of a top tier Managed WordPress hosting provider at a price anyone can afford. Peace of mind now costs less than $20 a month.
