If you have not updated your WordPress website and all plugins in the past 30 days, then update them today. Let me repeat myself… update them today! If not, you are playing Russian Roulette with the success of your website. We have seen a sudden increase in websites being compromised and in jeopardy of being turned off.
Just to clarify, when a hosting provider finds a website on its server that is causing problems due to SPAM, serving malware or other malicious activity, they typically request that you correct the issue or they will be forced to turn off the site. While the target of this message is to our clients, it does apply to anyone using WordPress.
We have always stressed to our clients the importance of WordPress Maintenance in order to keep “bad” things from happening to it. As mentioned, hosting providers will be forced to turn your website off until the site is cleaned. Google will warn you, then possibly remove your website from their search results if it contains malicious scripts.
… Safe Browsing shows people more than 5 million warnings per day for all sorts of malicious sites and unwanted software, and discovers more than 50,000 malware sites and more than 90,000 phishing sites every month.
Over the past 10 years we helped over 1000 clients set up a WordPress site. In that time, we have only seen 5 clients have their sites compromised. Of those 5, every one had “admin” as their username, used a very simple password and did not keep their site and plugins up-to-date. It was no surprise to us that they were compromised. Once we realized many clients were not taking the time to update their sites, we decided to start offering our WordPress Maintenance package and put together a tutorial and step by step guide for those that wanted to do it themselves. It really isn’t that hard and the basic steps don’t take very long, but you do need to be disciplined and update on a regular basis. We provide our clients protection by backing up their complete site every night, using secure passwords, and installing / configuring plugins to make your site more secure than the default setup. Most of the plugins we use are premium / licensed plugins that offer the best in support, performance and security.
Over this past weekend, two of our clients that have us update their sites regularly, had their site compromised. For clients that we don’t manage their updates, we have seen nearly 100 sites compromised due to WordPress / plugins that were not updated.
Additional Steps to Help Protect Yourself
In light of some recent vulnerabilities, we believe updating plugins and WordPress 4-6 times per year alone may not be enough. Don’t get me wrong…if updated properly, the vast majority of sites are secure. But please remember, nothing is 100% safe so it is important to take reasonable precautions.
As a longtime fan of Sucuri’s Anti-Virus / Malware Removal service (the leader in helping get infected sites back to a healthy state), we started using their Firewall service as an added layer of protection. The Firewall service blocks malicious attempts before they even get to your website. So even if you have a plugin that is vulnerable, there is a great chance that Sucuri will protect you until you can get it updated. As of today, none of our clients that have been using the Firewall service have been infected.
In light of these recent events, we have decided to update our company policy and at a minimum, urge all clients to get Sucuri’s Firewall service. Their service is only $10/mo and will help protect your site from getting compromised as well as offering performance optimization (making it faster, by as much as 50% in some cases). In a time when Google values fast sites, this feature alone is worth the $10 in my opinion.
I could go on about how great I believe Sucuri’s service is…but I thought I would simply share their video with you here as I think they do a great job making this easy to understand.
Want to see if anyone has tried to login to your site and guess your password? With many of our newer sites, login to your WordPress Dashboard and go to Settings > Limit Login Attempts and look at the number of times someone has tried to login to your site and been locked out. If you don’t have the plugin installed, contact us for assistance and we can do it for you.
– Why Websites Get Hacked
– The Impacts of a Hacked Website
– Understanding WordPress Plugin Vulnerabilities
– Google Analytics Security Update
– Sucuri Case notes regarding Gravity Forms exploit
– WordPress SEO Security release