The recent Panama Papers data breach seems to have more than a few political leaders trying to explain their offshore investments, or in some cases, forced to resign because of the exposure’s embarrassment. While I am not at all suggesting that you have anything to fear from such exposures, the manner in which the law firm Mossack Fonseca was hacked might have you sit up and take notice.
According to WordPress security vendor Wordfence, the attack was enabled via an outdated plug-in (Revolution Slider) that is very popular with WordPress-run websites. Our own website, plus that of some organisations (and more than a few schools) that we know of use WordPress as the basis of their sites. And why not? A W3Tech report states that 57% of websites that use a content management system (CMS) are using WordPress, and that near 25% of all web sites use WordPress. It’s popular, fairly easy to use (especially for updating portions of your website), and has a huge eco-system of 3rd party plug-ins and themes that add all kinds of flexibility and panache to your site.
Problem is, in that adding all of these goodies to a WordPress site brings in a level of diligence that some might tend to neglect, simply because of the frequency of updates. So far this this year of 2016 there have been 7 WordPress releases and near 24 releases in 2015! Each time there is a new WP release, before you might install the new WordPress version, you should check your plug-ins to see that their current release is supported within the newest release of WordPress. If not, perhaps it is wise to wait for your plug-ins to catch up in compatibility to the current WordPress before installing the latest WordPress version. I get confused just trying to put this into words!
Does it matter? It might, even if you do not have confidential data within the depths of your website. It could be a ransom-based malware, or matter of inconvenience when your website content is replaced or encrypted on a WordPress site that you run. We rescued a site a that was hacked and had its content re-written to show support for a radical political group. In the Mossack Fonseca case, the attack exposed key usernames and passwords that allowed entry into their email system and other areas.
What can be done to secure your WordPress-based site? Here’s a few pointers:
- Use a security plug-in to secure your site. We like Wordfence. There is a free version, but the premium paid version is not expensive. It will also tell you when there are updates ready – for your WordPress installation and for your plug-ins as well. This is worth the price alone.
- De-activate the plug-ins you are not using regularly. That plug-in that imported your users or graphics files was great at setup, but does it need to stay active?
- Frequently check your plug-ins for updates. Check compatibility with the latest version of WordPress before you patch them.
- Do not set your WordPress site to update automatically – this can break your site if your plug-ins are not compatible.
- Have a backup in place for your WordPress site. Many hosting vendors that host WordPress sites provide for backups of WordPress databases at no charge. Popular plug-ins for WordPress backups that we have tested and like are Backup Buddy and Updraft Plus.
- Use your (tested) backups to test plug-in compatibility with new versions. New release of WordPress breaks one plug-in? Roll it back using a recent backup.
- Change the default administrator name for your WordPress logon.
There are a number of other great suggestions out there – do scour the WordPress site itself for its own recommendations for securing your site.