WordPress is a fabulously convenient and functional blogging platform, but it is very important to understand that it is not a set and forget system. Updating the core WordPress system and other software modules in your site is key to minimising your site’s exposure to being hacked.
WordPress is popular…
WordPress is used widely for building websites – Wikipedia says it is used by more than 18.9% of the top 10 million websites as of August 2013 and there is no doubt the number is growing – but WordPress is also an easy target for hackers, especially if it has not been updated.
Despite its apparent simplicity, WordPress has evolved into a sophisticated system. In addition to the core WordPress software, maybe 10 plugins and a theme, your website becomes a complex software environment – with lots of scope for hackers to find exploits and then gain access to, or to compromise your site.
It’s open source…
Part of WordPress’ appeal is that its ‘free’ – it is ‘Open Source’ software put together by a committed team of enthusiasts, but that also means the internal workings are publicly accessible for all including hackers to review and explore. When new updates are published, exploits addressed in that update can be traced. So it is possible to quickly find out how to compromise certain versions of WordPress, a plugin or a theme. Hackers load this information into their scanning software and go hunting for potential victims…
Trusting your neighbours…
Often hackers use exploits to gain access to the web server via another website, then they go from account to account inside the web server.
Some web servers contain 100’s of co-located websites, so there’s an increased chance that one of the sites is exposed to hackers and so leaving your site exposed as well.
So you not only have to keep your site up to date, but all of the websites in your ‘neighbourhood’ also need to be kept up to date too for optimal hacker protection.
BTW You have no friends if you get hacked…
Succinct Ideas have developed a reputation for de-hacking WordPress, so I get quite a few calls from desperate website owners. My experience is that Web Hosts are unlikely to assist other than blasting your site away and restoring from your backup. Backup ?! You keep a library of recent off-line backups of your site. Right !? If you haven’t got a recent off-line backup then you’re in a real pickle.
Often website owners rely on their web developer who may not necessarily have skills in this area or maybe they don’t have a website maintenance provider.
If that’s you, you may be interested in our Website Concierge Service
If you have a hacked WordPress site then by all means contact us.
Please note that the amount we can assist you depends on access to a recent backup.
Updates aren’t always easy
Some tips for young players on updates who might think WordPress updates are trivial:
- Sometimes an update will break your site.
Occasionally an update will not be compatible with other systems in your site and may break the site.
Plugins usually provide compatibility information, but theme updates can be problematic.
I find the best approach is to review the update(s) and their support information; do a site backup; then run the update(s) and check the site for correct operation.
90% of the time you’ll be fine. On the other occasions be prepared to restore the backup, refer to your website maintenance people and/or generally panic 😉
- When to do updates
WordPress will automatically change into maintenance mode while the update is running. Visitors to your site will see a message that the site is down for maintenance, please come back later.
As some people may not come back later, I’d suggest carefully plan WHEN you run the updates. Don’t run updates during the site’s peak activity hours – typically between 10am – 4pm
If your update crashes (it happens) the site will stay in maintenance mode – so it’s effectively offline – and can stay that way for days until someone notices.
- Updating Premium Plugins and Themes
There’s lot a excellent premium plugins and themes available to make your site look fabulous or give it amazing functionality.
These may require manual update downloads, requiring a password or other proof of your entitlement to the premium license and so will not update through the normal WordPress update system.
Check with your web dev if they have used a premium theme or plugin and clarify the update procedure with them.
Of course ensure you have access to the premium licence serial number.
- Automatic Updates aren’t always automatic
WordPress 3.7 introduced automatic updates for WordPress core software. Notably it doesn’t include plugin and theme updates, so its important to continue to monitor your site’s update status.
Sometimes the automatic updates won’t run properly because for example it ran out of disk space, or encountered permissions conflicts on the web server etc
Automatic Updates will send a confirmation email to the site’s admin email address to let you know the update completed, or if it didnt what happened
If you aren’t receiving these emails check with your web dev.
WordPress Update Takeaways:
Check if your WordPress site is up to date:
Login into your WordPress site’s Dashboard and check the Updates section under Dashboard | Updates
The number of outstanding updates is shown next to the menu in a red circle and they are listed on the updates page.
- Who is receiving your WordPress Admin notices?
There are a range of important (and some less important 😉 notices that WordPress emails to the admin email address.
Login into your Dashboard and go to Settings | General to check where these notices are currently being sent.
Ensure that the email address is checked regularly and the recipient understands that there maybe important messages coming through.
- Find your web server neighbours:
Use a Reverse IP website to find the co-located websites on the same IP.
NB This is not a complete list as web server likely has multiple IP addresses as well.
If there’s some dubious looking co-located sites you might want to discuss this with your web host, perhaps even ask to be moved to a more secure server.
If they aren’t prepared to help you then contact us to see if we can help out with our Website Concierge Service