Security is a feat of web development often overlooked by small companies.
According to w3techs.com, WordPress is given credit for 28.4% of all websites, that’s a content management system (CMS) market share of 59.3%. WordPress is CMS that focuses on the user that will deliver post development edits, and provides an organized process of development that lowers production costs. However, due to it’s broad use, it’s security vulnerabilities are often over-looked. Many small companies don’t perceive themselves as in threat of an attack, and don’t give security a strong consideration when developing a sight. I’ll explain why that’s a bad idea.
Common WordPress Vulnerabilities and Mistakes
Security in WordPress is only as good as the developer makes it. When you start a website from scratch, WordPress may have a few anti-spam plugins, but nothing to help you against some of the oldest, most-known vulnerabilities, including:
1). Brute Force
By default, WordPress includes no protection regarding login attempts. This means that any hacker can write a script that will guess your username and password without repercussion. The script will try every combination of username and password, starting with the most common ones (so have a unique password!). However, plugins such as Login LockDown, iThemes Security, and Sucuri Security provide options to limit the amount of logins from one IP. After a pre-set amount of failed login attempts, these plugins will automatically IP ban the attacker for an increasing amount of time. The more failed attempts, the longer the attacker is kicked out.
2). Not having two-step Authentication
In the event that the hacker is able to access your login information, whether through a fault in your database, brute force, or any other attack, having two-step authentication requires the hacker to gain access to your phone messages in addition to your password. Plugins such as Google Authenticator allow you to set up two-step verification on your account. Even if the two-step is only on your administrator account and not on every user’s account, it may serve as a great last-ditch-effort when trying to defend off a hacker from gaining access to your entire site.
3). Out of date plugins
As we mentioned previously, WordPress is the most commonly used Content Management System on the web. This means that there are countless numbers of plugins available, and that the most commonly used plugins are often exploited. Although the creators of the plugin quickly patch the error, not all users immediately update. Because of this, a strong login defense may not be enough. If you install plugins that minimize the risk of your login being accessed, a hacker may begin to look at your plugins by directory indexing and browsing. This is a feature that is not disabled by default in WordPress, which means that anyone can view your file directory and find any out of date plugins you may have installed. I recommend wpbegginer.com’s article on disabling directory browsing in addition to constantly keeping your plugins updated.
4). Human Error
Like I said before, WordPress security is only as good as the developer makes it. Having a developer that actively keeps up with plugin and WordPress core updates is absolutely essential. No matter how self-regulating you make a WordPress site, there’s a strong chance that it is still vulnerable. Small mistakes such as keeping database prefixes default, having a simple password, and not taking the time to install security plugins that prevent the most basic of security exploits such as brute-forcing a login is complete human error. Be sure to trust your developer, and if you’re the developer, make sure not to ignore security when building your site. It’s important.
Why target my company? What’s to gain?
We live in a day and age where just about anything digital can be sold off to the highest bidder for even fractions of a penny. Hackers may target bulks of small, unsuspecting companies that have practically no web security rather than one large, secured company that would be worth a lot more.
That being said, a little bit of security can go a long way. If a hacker plans on gathering data from hundreds of small sites, having even the smallest amount of defense against the most common vulnerabilities can go a long way; it’s likely your site will be passed over for one that is easier to exploit.
Securing trust with Clients
Another need for security is the trust it installs in a client’s request. A website is only as good as it’s security, so never overlook security for a better design. By pitching security options in addition to a great design, a potential buyer looking to invest in a website will have more confidence in your firm to deliver. WordPress focuses on the user as much as it focuses on the developer. It’s a great platform for clients, but it’s only as good as the developer makes it.
Develop and market as your heart desires, but keep in mind that there are users out there with malicious intent.
WordPress is a system of default convenience rather than default security, but with the right precautions, any site can put up a fight.