WordPress Website Security Issues

March 12, 2018 Michael Kennon

All of you reading this important post are most likely registered as Administrative Users on one or more WordPress websites hosted by Parnassus Creative or Kennon-Design.

As a valued clients of our website services the security and integrity of your website is very important to us.

WordPress based websites are becoming more and more popular. Recently, as the number of WordPress websites increases, they have become the targets of hackers and others with nefarious motives to access your site.

We have taken every reasonable effort to protect our clients’ websites from these attacks. The items listed below have been added to their sites where appropriate.

Blocking access to the site of visitors located in countries known as ‘safe harbors’ for hackers, i.e., many sites are blocking all visitors located outside of the United States. This can be adjusted to allow visitors from counties (or certain IP addresses) you want to allow access to your site. NOTE: one of the hacker attacks we’ve encountered this year originated from locations within the Russian Federation.

Added Malware protection to sites where attacks have taken place. This feature is not automatically added to all sites as it does cost $3 extra per month. You must specifically request this service. Though this might seem like closing the barn doors after the horses got out, the monitoring process is normally quick enough to shut down a code insertion hack by taking the site offline and notifying us so the site can be healed. It is also a well known fact that a site hacked one time will be the target of another attempt.

Frequent whole site backups created with off-site archiving of the backup files. This step is an important part of fixing a hacked site. A known good site backup in many cases is the fastest way to restore a hacked or broken site.

Regular monitoring and installation for the WordPress core and Plugin updates. The lack of current updates is a frequent root cause for the hackers’ ability to gain access to a site. As WordPress and Plugin developers discover their software’s vulnerabilities they will roll out security fixes fairly quickly. That’s why it is important to install the latest updates as they become available. Plugins that have not been updated by their developers in more than a year may be vulnerable to hackers.

Monitoring of site new user registrations where allowed and taking action where appropriate. In one instance a site hosted by us was getting a large number of new user registrations generated by BOTS. The IP addresses for the email addresses submitted were all located in the Russian Federation.

We’ve also taken more steps to secure our clients’ websites. I’ll not go into specifics about these fixes here, but if you want to know what they are please ask me.

What more can you do?

We do suggest the use of strong passwords for any site user with access to your site’s Dashboard. Also you may want to change your own passwords at least once a year if not more often, especially if you notice any suspicious activity on your site or your computer.

Never share your usernames and passwords unless the person you’re sharing them with has a legitimate need to know.

Clear your computer’s web browser’s cookies and history every so often. I know this can be a pain because after clearing, everywhere you go online will be like the first time you went there again. The super paranoid just disable all cookies on their computers forgoing the convenience of having sites recognizing them when they visit.

Keep your computer’s antivirus protection updated and scan your system on a regular basis.

Be smart about your own web surfing and emails. There are many resources to help you learn what safe practices are so I’ll not go into this here.

In today’s World Wide Web there are people who have no other purpose in life other than to steal from others – they will find a way to steal from you! Recognize there is no completely safe place to store sensitive data. You can only make it more difficult to access it for those you want to deny access to it. Be smart by keeping what’s yours as safe as you can make it.