Over the last few years I have seen an increase in the number of sites being compromised or hacked. We have had a number of projects where a new client has come to us with a hacked site and we have been involved in repairing or replacing the site and even a few where sites we have built have been compromised.
More often than not, it appears that the compromised website has been running outdated content management system software (for example an old version of Joomla or WordPress) or old software plugins or themes that contain vulnerabilities. This trend has been observed worldwide and has even resulted in some pretty newsworthy incidents (like the Panama Papers leak).
Fortunately, given that most of our customer sites are now built on WordPress, updating the CMS or plugins is typically a pretty manageable task. The open source community around WordPress regular finds and fixes security problems and releases software updates which are made available almost immediately.
It’s easy to overlook the task of updating your website software or be tempted to continually put it off (as the process normally requires backups and testing which means putting aside a chunk of time and allowing extra time in case something goes wrong). It’s easy to adopt a, “if it’s not broken, don’t fix it” mentality, in relation to a website, which can lead to problems down the line when a site is compromised.
To address this situation, we’ve developed a strategy that we now use and recommend for all websites that we work on. The first step is to install a security plugin that monitors and reduces the exposure of your website to attack. We use and recommend Wordfence Security plugin for this, after having tried a number of plugins. This is by no means the only option, but it’s one that we’ve tried and tested and the free version is well featured enough to be useful. It provides good end-point security (meaning it’s working at the place where you want your site to be protected).
The second important piece is to ensure that the site is backed up regularly. This means both the website database and site files. It would be pretty frustrating to have a site defaced and not have a back up of the site to roll back to. The WordPress Backup to Dropbox plugin is a good option and can be set up with a free Dropbox account for scheduled backups. Another option is to get the paid version of Wordfence (the security plugin we talked about above), which allows you to schedule backups and security scans.
Once you have a way to backup your site (and have ideally scheduled this to happen regularly), the final piece in the puzzle is to schedule a time for updates to be performed. We consider monthly updates a reasonable interval between updates. You can do this more often, but scheduling time to do it monthly is probably more realistic for most websites. There can be a bit of detail in the process of handling updates, but in general, you want to ensure that updates are installed in order of importance to WordPress CMS, plugins and theme files. When upgrading themes and plugins integrated with your theme, it’s important to test updates once installed and make sure that everything still works. This means testing things like contact forms, sliders, sidebars and pages/areas of the site using shortcodes for instance.
Depending on the complexity of the site you may want to allow 20-30 minutes for major updates and 10-15 minutes for smaller updates. You’ll probably find that you get more familiar with the process over time and can reduce the time required for updates.
If you find that your time is better spent working on your business or other things that you enjoy doing more, we can handle Wordpress Backups and Updates for you.
For details on the steps involved with cleaning up a compromised site, this article provides detailed information.