My goal here is to cover some of the basics of website security, in particular, WordPress website security because that is the platform we use for our sites. WordPress websites need the following to be secure:
- Weekly site backups (real backups in the cloud)
- Weekly updates of WordPress, themes and plugins
- Solid, reliable hosting
- A plan for how to deal with malware
These are all things that most any organization can do internally, but these are all things that almost every organization neglects. When they are neglected, sites often get hacked. The scary thing is that sometimes a site will be hacked and it will not be noticeable to the organization for an extended period. Let me give a few examples of obvious hacks and subtle ones:
- The site is down
- The site is showing code at the top or bottom of the screen
- The site has been modified with a goofy message like “you have been hacked by…”
- The site has inappropriate / offensive imagery or language on it
Subtle hacks (which are scarier):
- Some of the links within the site start redirecting to medication websites that could be embarrassing.
- When you search for the organization on Google, it comes up, but the language about the organization is about selling a particular medical supplement (blue pill) rather than information about the organization.
- When you search for the organization on Google the link back into the website redirects the user to an online store selling basketball shoes.
- Someone gets access to your site and subtly posts weird blog posts all throughout your blog without you realizing it for months.
I have personally seen all of these hacks happen. The obvious ones get noticed right away and fixed. The subtle ones can go on for months until a user finally gets pushed to some weird site and then complains to the organization. I confess, I am writing this to scare you.
To maintain the integrity of your WordPress website you must do one of two things. Either commit to a weekly regiment of maintaining and updating your site and do it without fail. Or, pay someone to do it. If you don’t commit to one of those options, your site will be in danger.
As much as you might like kitten videos on YouTube, waking up to a homepage full of kitten videos because a hacker was bored last night is no fun.