Yesterday I received emails from two different people dealing with having their WordPress website hijacked or hacked. I can’t say for sure where the hackers found a hole in these websites, since I wasn’t responsible for building or maintaining them, but chances are it had something to do with a lack of maintenance in some form.
A few months ago I wrote this post on securing your WordPress site. In that post I listed the following six things to do in order to keep your site safe. (Check out the post here for details about each)
- Create a unique username
- Create a tough password
- Change the Database Tables Prefix
- Check your file permissions
- Be sure your theme isn’t opening security holes
- Keep WordPress, your theme and plugins up to date.
Since the writing of that post I’d also add:
7. Be aware of the integrity of the plugins you add. Check them out for reviews, support and if/when updates are done to keep them compatible with WordPress updates. Yes, there are unscrupulous people out there that see WordPress plugins as a way to access your info, but there are also well meaning plugin developers with sloppy code unwittingly opening security holes.
The first five items are generally items you or your designer should take care of when you’re first building your website. The last two are ongoing maintenance. That’s right, even though WordPress is much easier to maintain than a traditional html site, it still requires a bit of attention.
Many times the reason behind a WordPress, theme or plugin update is because a security flaw has been discovered. The updates effectively fix those flaws. If you’ve been ignoring those nagging reminders that there are updates available, you’re putting your site at risk!
If you never see those reminders and don’t have someone doing site maintenance for you , chances are you had someone else build your site and they ‘shut off’ those reminders. Some designers feel that allowing clients to see those reminders make them look less professional . If they aren’t offering clients ongoing support to take care of updates for them, they risk looking ridiculous when a client site gets hacked and the client realizes that updates haven’t been done since WordPress 2.1 and their designer never mentioned a need for them. Contact your designer if you never see update reminders in your Dashboard and ask them to turn them back on.
What if you’re one of those people who built a more or less static website on WordPress. What if you can’t remember the last time you logged into your Dashboard? Unless you have someone doing maintenance for you, you could be making your website an easy target for hacking or hijacking.
Too often people notice the update reminders and mean to do the updates. Maybe they log in to do a blog post and don’t feel they have the time. Maybe they are concerned that the update will cause incompatibility issues or ‘break’ their site so they put it off, thinking they’ll make sure first. Next thing you know the site is several updates behind , and that means it’s possible there are security holes. When there are security holes, bad things can happen.
Don’t let bad things happen.
Make sure you keep WordPress, your themes and your plugins up to date. If you don’t have time or don’t feel you are ‘tech savvy’ enough , contact someone like me that offers WordPress maintenance services. Remember, ignoring updates is asking for trouble.