“1. My readers have let me know that when they click on linkhere.com they get a message saying I have a virus. What can I do?”
“2. [I've sent them a notice that our monitoring partner has alerted us to a problem and we're dealing with it.] What’s wrong? Does this mean I have a virus?!?!”
“3. Google has blasted my site with the big red warning screen – I’m panicking!! What do I do?”
“4. How can this happen!?!?”
WordPress Security vs. The Bad Guys
Imagine a huge plate of spaghetti noodles piled high on a serving platter. For our illustration that will represent the internet.
“Malware” is simply anything that does harm to your particular noodle.
Malware is not looking for your noodle in particular. It is simply looking for any website, on any computer that might have left the door open a crack for it to get in and do damage. And you’re right – there are no doors in noodles. The analogy breaks down a bit here.
My point is that it isn’t personal – this is not a targeted attack destined to do you damage, although it can feel like it.
Is WordPress Secure?
In other words, is it WordPress’s fault that you have had this trouble?
Let me post a hypothetical question: What are the chances of my reputation being ruined by a past indiscretion?
The answer is not much! And not because I’ve been angelic, but because no one cares!
What about the Prime Minister? (er… or President, I think you call him.) More people care about his reputation, than they do about mine so I’ve been told.
To summarize, if you are popular more people care and somehow find it entertaining or challenging to find juicy bits. The same is true for WordPress – it is insanely popular. So there are those silly people who find it somehow entertaining to challenge the security of it.
On the flipside, because it is so huge, and because WordPress is ‘open source’, it’s backed by 100′s of developers and 1,000′s of contributors all making it better and more secure by the day.
Literally – by the day. It’s mind-boggling.
So is it secure? I see it like a race. Just as fast as the evil minions can come up with malware, WordPress is fighting to become impenetrable. And yes, I’m betting on WordPress and a few best practices.
Don’t stop reading now!
Back Doors: escaping unscathed
Have you seen the movies with the teenage boy climbing out the top floor window of his girlfriend’s bedroom? It’s dark. A twig snaps. Shortly after, Daddy comes out the front door with a shot gun? We route for the fellow to escape unharmed and true love to prevail. I always picture this scenario when talking about Back Doors. Except we’re not letting an unsung hero escape our bedroom window, we’re letting a virus out and leaving an opening for him later.
Back doors – these are the pieces of code that leave little holes for the malware to come back later. Its essential you get these out of your website too.
Best Practices for WordPress Security
Items for your geeky brother/sister/husband/wife: Make sure your computer is secure (use anti-virus software, use 2 if possible). Make sure your network is secure (use a firewall).
Items for you: Passwords need to be changed and random: admin users, FTP users, MYSQL users.
Make sure all your passwords are randomly generated.
SB: You know that I have over 1,000 passwords that you’ve given me, right? When ‘they’ say that people use passwords like their names, children’s names, birthdays, and words like “adm1n” and “passw0rd” they are RIGHT!
Items you might want help with: Make sure your WordPress, Plugins, and Themes are all updated and from reputable sources (use as few as possible). See our WordPress Upgrade Page for details.
78% of malware cases can be attributed to outdated WordPress, or plugin/modules! (source)
#1 Tip for WordPress Security
Get your website on these guys’ automatic scanners. They clean out and harden sites. Install the server-side monitoring and the WordPress plugin that comes in the dashboard after logging in. Proudly display the ‘secured by Sucuri’ badge in your footer to increase reader confidence.
I used to charge by the hour to manually clean out sites. This can be an arduous process and an unexpected $200 – $300 bill! Sucuri’s annual(yes – thats annual) charge of $90 is a STEAL.