I’ve had a couple of new clients lately that have come to me lately because they were having big problems with their WordPress sites getting “hacked” continually, and they want to stop this. Obviously it’s bad for them because they keep having their visitors jumping up and down about their computers being infected by my clients websites.
Out of all of this I have found out a few things that I think deserve sharing.
Not All Plugins Are Created Equal
There are literally 1,000’s of plugins on the WordPress site all for free and all able to be downloaded and installed into your blog quickly and easily. Does this mean that they are all of a high quality standard? Well, yes and no. All that it really means is that they meet the WordPress coding standards, and they don’t have any obvious security issues. The key here is “obvious”. With the amount of plugins that are hosted there, it’s impossible for each one to be completely checked, and even if it was there’s always a chance that a simple mistake can not be found.
This doesn’t mean that you should stop using plugins. It means that you should be careful and vigilant for yourself. You should look at what the plugin does, how it works and how it’s been coded. I’ve found a few plugins on my clients sites so far that were poorly written, and one that was downright dangerous.
Update Your Website
This is probably one of the most common problems that I see. When I look into most of my clients administration areas, they haven’t updated anything for months, and in one case two years.
There’s the old argument of “If it’s not broken, don’t fix it”, and that does stand true in a whole lot of cases. The problem with this ideaology when it comes to software is that you should really be thinking that the software is broken in the first place, and the updates are there to fix it. The WordPress core updates are mostly done as security and bug fixes. This means that by not updating you are leaving your site open to known vulnerabilities with the version that you are running. In case you didn’t know, by default WordPress embeds it’s name and version into every page of your site, so it’s easy for a hacker to get that information and use it against you.
The same thing goes for themes and plugins. The worst offender that I’ve seen for this are the “premium” themes that a lot of people buy. I think that it’s a great thing to have these themes available as they do look good and the functionality can really help out a lot of people. The problem that these themes have is that they are almost always not able to be upgraded through the normal WordPress processes. Let’s face it – users just don’t update when it’s easy to do, so why are they going to update when it’s a lot harder?
Check Your Local System
I cannot stress this enough. Always keep your virus scanner and firewall updated. There are no exceptions to this rule.
Keep Up To Date With Current Issues
The biggest issue in the recent past has been the noted vulnerability in the TimThumb script. There’s a huge number of themes and plugins that use this script to do some nice image resizing on the fly. While it works well, the script is really inherently insecure, and this has been proven time and time again. If your plugins or themes use this, ditch them and get something else that doesn’t.
This is just one example of many that are out there. Always keep an eye out for the next latest issue. Something new will come up. It always does.