WordPress is the most popular website platform that is used (and is easy to use). Originally it was known for blogging, but in recent years, it has evolved to become a powerful CMS (Content Management System).
Research shows that they powered 35% of the internet, mainly due to its tremendous ease-of-use and the fact that it doesn´t require coding. Check our article around why we use WordPress to build our customised websites.
However, this popularity has also made it a popular target for hackers. That is why in this article we will aim to break it down for you so you get a clear understanding of the website security risks and how to address them.
- What are the security risks?
- SSL Certificates
- On-site security factors
- Off-site security factors
- Backup procedures and schedules
- Password protection
So without any further due, let’s get cracking!
What Are The Security Risks Online?
Hackers typically want to get access to sensitive information, to redirect people to chosen locations, to perform actions on behalf of users, to impersonate a user, get geolocation data, and even specific files.
That’s why we want to protect ourselves and our users as ultimately it’s not a good experience and Google takes this very seriously on their ranking factors.
So let’s unravel some of the main risks online:
# 1 Cross-site scripting
Then the hacker can access sensitive information in cookies and impersonate that user or perform actions on behalf of the user, or send the user to a destination they choose.
You definitely want to avoid this for your users.
#2 Session Hijacking
Each unique user is assigned a “session” when they login to a website. Session hijackers will jump into the session of another user, reading information as it passes between the user and the server.
#3 Parameter Manipulation
Websites often pass information from one web page to the next through URL parameters. For example, if you search on Google, your search terms will be passed to the results page through the URL. A hacker can take advantage of this fact to rewrite these parameters in harmful ways.
#4 Buffer Overflow
A buffer is a small amount of space allotted to store data. If a buffer is overloaded, the extra data will overwrite data in other areas. Hackers have exploited this knowledge to overfill a buffer, then overwrite other data with their own malicious code.
Denial of Service- Denial of Service attacks are simple but effective. They operate by overwhelming a site with requests for information, severely slowing the operation of a website or bringing it down entirely.
#5 SQL Injection
SQL injection works similarly to cross-site scripting; in this case, however, it is malicious SQL statements that are inserted into the site. These statements are intended to manipulate the database in some way- either accessing sensitive data, or deleting it entirely, causing major headaches for the owners.
On- Site Security Factors
HTTP vs HTTPS
HTTP (HyperText Transfer Protocol) is the protocol over which data is sent between your browser and the website that you are connected to.
The ¨S¨at the end of HTTPS stands for secure. It means all communications between your browser and the website are encrypted.
HTTPS is the standard now, you need to have https in all your websites and to do that you need to get an SSL Certificate.
What is an SSL Certificate?
SSL Certificates are small data files that digitally bind a cryptographic key to an organization´s details, so it ensures the identity of a remote computer.
When its installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser
SSL Certificates bind together:
- A domain name, server name or hostname.
- An organization identity (i.e. company name) and location. It gives a level of realness to the website
What Google Says About HTTPS?
Google encourages us to adopt HTTPS in order to protect user’s connection to our website.
Below is a snapshot of a ¨not secure¨http site vs a ¨secure¨https one:
Google basically want to see three levels of protection:
#1 Encryption- encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages, or steal their information.
#2 Data integrity- data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected
#3 Authentication- proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
How to get your site secured with https?
You need a security certificate installed. You can typically get free SSL Certificates that cover multiple domains.
On some hosting this means going to a third party certificate provider, purchasing the certificate and then getting it installed on your server.
Sometimes if you transfer your site from http to https some images or files are not updated, so your site will be flagged as potentially risky and show the red lock in the address bar. You can utilise a plugin (Really Simple SSL Plugin) to quickly fix this!
If you want to check your site is all over to https, or why your site isn’t showing a green padlock, put the URL into whynopadlock.com
Other On-Site Security Factors To Be Across
# Brute force attacks, malware injection, hacking
Usually, this is because you got an out of date WordPress installation, out of date plugins, and out of date themes. This is crucial so you should ensure to delete any stuff you are not utilising.
Our solution to this is to install Wordfence Security Plugin.
It Keeps plugins and themes up to date- or warns you if you have on-site security risks. Protects against blunt attacks, can add firewall and blocking.
- You should have automatic back-ups running (at least once a month). Make sure to have a decent history (3 months worth).
- You can also store a copy of the server – either download it manually or send to dropbox/google drive.
- We recommend UpdraftPlus as a plugin
Off-Site Security Factors
These typically mean things that are not within your control in your website.
Want to know the biggest off-site security factor in your website….?
- Having weak passwords
- Avoid clicking on links to log in to things
- Not opening suspicious emails or click on strange-looking URL´s especially on mobile phones
- Don´t download software that you didn’t search for- always research reviews first!
- Ensuring to update any software you have and deleting anything you are not using.
A good rule of thumb is to delete anything you are not using.
We recommend utilising Lastpass, which is a free tool, and its awesome. It keeps all your passwords in one place so you can store all that information.