The Cost of Keeping Your WordPress CMS Website Secure

WordPressWordPress Content Management System (CMS) websites come with ongoing update costs that are easily overlooked. If you are like most of our clients, you don’t often think about, or pay much attention to, the backend of your website. WebWise Design & Marketing clients who choose to have a Security, Maintenance and Updates Plan may safely ignore updates needed to the functionality of their website as we take care of those tasks for you. Our security and maintenance plan includes monitoring and applying all WordPress security software updates, and all plugin updates. It also includes repairing any damage an update may cause to the website.

For those who do not have a Security, Maintenance and Updates Plan, please continue reading.

It is important to remember, simply ignoring or not applying WordPress and plugins is not an option. Updates must be applied, either by you or your web developer.

WordPress Plugins

PluginI am sure many of you are thinking, “what the heck is a plugin and why do I need them?” According to the WordPress Codex, “Plugins are ways to extend and add to the functionality that already exists in WordPress. The core of WordPress is designed to be lean and lightweight, to maximize flexibility and minimize code bloat.” Plugins offer custom functions and features so that each website can be tailored to the website owner’s specific needs. Some examples of functions and features often added with plugins include calendars, photo sliders, forms, captcha for forms, anti-spam, navigation menus, security, and additional SEO features. Most interactive and dynamic aspects of a WordPress website are provided through the use of plugins. Some plugins (generally those with fewer features) are free to use. Sometimes, it is essential to use “premium” plugins that are sold as a license subscriptions that includes all code updates for a year. Note: these updates are for the code and subscriptions only; they do not include applying the updates to your website.

Security and Maintenance Updates

If you have read this far, I imagine you have a fairly good idea about what drives the hidden costs of security and maintenance updates, so I will confirm it. WordPress and plugins need to be updated frequently. Not long ago, we could say “periodically,” but unfortunately, “frequently” describes how often security and maintenance updates are required in today’s world. With every new WordPress release (there have been six so far this year), any website built with WordPress needs to have it updated. Of course, it doesn’t end with that simple update. Often, most if not all plugins used in building a website will have to release updates of their own, which will need to be applied to the website as well. Throughout the process of updating, one has to check to make sure the website is not negatively impacted by an update. In other words, the website must be checked and all functions tested to make sure the update didn’t break anything, and that the website is still displaying and working properly. That “checking’ is done for multiple devices, browsers, and operating systems.

I know some of you are asking, “What happens if I don’t do the security updates?” Well, there are many things that can happen as a result of not having the latest version of WordPress and plugins installed on your website. Here is short list of some possible consequences.

  • Unauthorized access to your WordPress administrative area.
  • Unauthorized and hidden remote control of the computer of an authorized user (you) .
  • Your website doesn’t display properly.
  • Your website doesn’t display at all.
  • Your website is hacked and displays offensive and/or harmful content.
  • Your website is hacked and infected with malware that, in turn, infects the computers of your website visitors.
  • Your web hosting company disables your website because of security risks in violation of their Terms of Use Policy.

What Can You Do?

  • Monitor WordPress and Plugin updates status.
  • Make the updates yourself.
  • Review your website to be sure nothing is broken.
  • Fix what is broken if you can, or contact your website developer.
  • Hire your website developer to do those update tasks for you.

Summary

Websites created using WordPress need frequent back-end updates and maintenance that cannot be ignored. Updating WordPress, themes, and plugins takes time and money. Some plugins used require annual license/subscription renewal fees. Ignoring updates puts your website at risk. 

Please see how WebWise helps mitigate the risk of your website getting hacked, and what you can do to make your website more resistant to hackers, by reading our Website Security For Content Management Systems blog post, as well as Secure Passwords Should Not Be Optional.

Of course, we are always happy to discuss how WebWise Design & Marketing can help you with anything in this post.

Call 1-800-281-9993 or 608-822-3750 Today!

Website Security For Content Management Systems

Online security breaches have been national headline news topics regularly throughout the last year. WebWise Design & Marketing has always taken security seriously. We have used and stressed the importance of strong passwords, and we endeavor to keep the versions of the applications we use updated as quickly as possible.

As most of you know, websites with Content Management Systems (CMS), by their nature, present a far greater security risk than static websites. Simply having a user login facility creates a security challenge. Hosting companies and other companies that provide security products and services tell nearly everyone who will listen that, “In our experience most account compromises are due to weak passwords and/or outdated software.”

www.wordfence.comLast week we took another step in securing our client websites that were built on a WordPress framework. We have installed the Wordfence Security plugin on nearly all the WordPress installations we developed and manage.  While there are other similar products, we use and recommend Wordfence Security (we have no affiliation). Here are some of the features of the free version.

  • Real-time Security Network
  • Enforce strong passwords
  • Check existing passwords
  • Scan for DNS changes
  • Get detailed IP info
  • Track IP’s to their source
  • Block IP’s & manage blocks
  • Intelligently block networks
  • Block fake Googlebots
  • Block brute-force attacks
  • Scan Core, Theme and Plugin Files
  • Repair Files
  • Scan for known malware
  • Scan for hundreds of backdoors
  • Scan content for bad URLs
  • Real-time traffic shows hackers
  • Real-time view of crawlers
  • Includes a complete firewall
  • Rate limit rogue crawlers
  • View top content leeches

You may have noticed one of the features is “Enforce strong passwords.” By default, we use that setting for our client’s protection and recommend that everyone use the feature. Read our Secure Passwords Should Not Be Optional blog post.

While the free version of Wordfence Security does an excellent job across the board, we believe the investment in Wordfence Premium is a good investment in the security of anyone’s website. Take a look at it and decide for yourself. www.wordfence.com

Secure Passwords Should Not Be Optional

Password Security

A very large number of the security breaches we read about are because of weak passwords. Nearly all of us are guilty of using insecure passwords. Some of the time it isn’t a big deal. If someone steals your password to your favorite newspaper account, it likely doesn’t matter as much to you as it does to your newspaper company. Of course, if you stored credit card information there, it could be a bigger problem for you than you think.  The bottom line is if you don’t want any of your accounts and the information in them accessed by someone else, you need to use a very secure password.

So, what constitutes a secure password? Let’s start with the basics. The longer the password, the harder it is to crack. Consider using at least a 12-character MINIMUM. We like to see 20 – 24 character passwords. Okay, so we agree you should use long passwords.

What else? Before you create that first really secure password, make sure you protect your computer and network with up-to-date antivirus software and a firewall. The most secure password in the world is not secure if it is in an unencrypted file (Word document, text file, spreadsheet, etc.) on a computer that has been compromised.  If any of the accounts you access offer two-factor authentication, use it! Many experts recommend periodic (and somewhat frequently) password changing. I agree with Leo’s answer on Ask Leo to this question. Is a periodic password change a good thing?

Back to creating that long password.

  • Create passwords using a 12-character MINIMUM. Using 20 – 24 characters increases password strength exponentially.
  • Use at least one number, one uppercase letter, one lowercase letter and one special character (symbol).
  • Don’t use the names of your family members, friends or pets.
  • Don’t use dictionary words, including commonly used foreign words.
  • Don’t use common substitutions such as “$” for “s”, “@” for “a”, “1” for “l” and, well, you get the idea.
  • Don’t use zip codes, local street numbers, phone numbers, birthdates, ID card numbers, social security numbers, etc.
  • Don’t use the same password on multiple sites.

Password Generators

We recommend using a password generator, and creating them at least 20 characters long. There are several good secure password generators online. Here are a few.

Norton Identity Safe Password Generator
Random Password Generator
Online Domain Tools Password Checker
Perfect Passwords — GRC’s Ultra High Security Password Generator

For those of you who want to remember your passwords. It is possible to use really long passwords that are easy to remember. Here is an excellent blog post which includes methods to do that.

Password Managers

How to remember those long passwords? Well that is a challenge. We recommend using a password manager application. Because LastPass, one of most widely used password managers, was broken into last month (hackers didn’t access user password vaults because it uses a rigorous cryptography system), some believe using a password manager is not a good idea, but it is a very viable option. This blog post answers the question, “Am I An Idiot for Still Using a Password Manager?

There are two types of password managers, those online that store your passwords in encrypted databases in the cloud, and applications that you install, and then store your encrypted password database on a file on your desktop computer, phone, or tablet. There are pros and cons to both types, and both can do the job for you. Here are some of the most popular password managers.

LastPass
Dashlane
1Password
KeePass

Here is how PC Magazine rates (June, 2015) paid and free password managers. Please remember that those ratings, as all ratings of software, are somewhat subjective and a matter of personal preference.

Start today with creating a new and different password for each of your email accounts. Most of us have easy-to-remember (and easier to crack) passwords for our email accounts that really should be changed.

Please remember,  Secure Passwords Should Not Be Optional, and using a password manager certainly doesn’t make you an idiot.