WordPress Security: Paramount for Small and Medium Businesses

In a study held between the 12th and 15th of September 2013, it was found that, of the 40,000+ WordPress websites in Alexa’s top 1 Million, more than 70% were vulnerable to attacks.

That being said, a website being hacked can be costly for an enterprise and precautions must be taken to make WordPress as secure as possible.

How a Hacked WordPress Site Can Impact Business

As a business grows, the effects of a hacked website get increasingly worse.

A defaced personal blog likely will not attract too much attention, but a large enterprise can definitely expect some sort of loss.

According to an article from Telegraph, a cyber campaign in 2010 led to several million in damages after targeting PayPal, MasterCard, Visa, the Ministry of Sound,the British Recorded Music Industry (BPI), and the International Federation of the Phonographic Industry (IFPI) .

PayPal estimated their damages at £3.5 million. BPI ended up having to pay out more than £4,000 for online security and other costs. The cost to IFPI was more than £20,000 due to their site being down for nine days. MasterCard and Visa’s losses were not disclosed.

In another article from Yahoo! Small Business Advisor, a small business was fined $100,000 by it’s credit card issuer for a security breach that lead to nearly $3 million in bogus charges. This article goes on to say that threats to small businesses have risen sharply over the past year and that the average loss per attack is $188,000.

While these statistics may be alarming, Tony Perez of Sucuri, a top information security company, suggests that “being afraid is not the appropriate course of action and [reassures] that the various other competing applications fared far worst when it came to security.”

How to Protect Your WordPress Website

While there is no way to guarantee that a website will not be hacked, there are precautions that can be taken to secure WordPress.

Below are just a few of the best suggestions for minimizing the possibility of your WordPress site being hacked:

• Run the latest version of WordPress. According to WP White Security, almost every past version of WordPress has known vulnerabilities. Thus, one of the easiest and best ways to thwart a hacker is to update WordPress.
• Use only trustworthy plugins and themes. WordPress VIP has mandatory code reviews for all plugins and themes that run on its servers. While this process is quite stringent, it has helped WordPress run its servers with very few hiccups.
• Regularly backup your entire WordPress installation. While this is more of an after-the-fact tactic, it is one of the best ways to minimize the damage from a hacked website.
• Use secure passwords. While much has been written about this, the basics are to use a long, complex, unique password.
• Always use SFTP.
• Use a unique database prefix. Do not use the standard database prefix of wp_.
• Delete unused plugins and themes. The point here is to minimize vulnerabilities.

From this point, there are several plugins and services that can help with security. Here is a list of highly recommended, and vetted, plugins and services:

• Sucuri Security. When you purchase Sucuri’s monitoring and clean-up service, starting at $89.95 per year, you get a plugin to install on your site. The benefit of using Sucuri is that they will clean any malware on your WordPress site.
• Limit Login Attempts. This plugin does exactly what the title says, and is a good way to deter brute-force hacking.
• Stealth Login Page. This plugin deters hackers by changing the admin login page. Without a secret authorization code, anyone that hits the login page will be redirected to a customizable URL.
• Google Authenticator. This plugin allows you to enable Google’s two-factor authentication on your WordPress site.
• Simple Login Log. This plugin keeps a log of every login attempt including username, IP, browser agent, and time.

The Rise of Managed WordPress Hosting

The simple truth is that security is an ongoing effort and there are many variables to consider. Because of this, businesses looking for peace of mind for their WordPress powered websites have turned to managed WordPress hosting in recent years.

While more expensive, managed WordPress hosts specifically tune their servers to securely host WordPress. This allows businesses to focus solely on adding features and content to their site.

For a more detailed write up of managed WordPress hosts  see the comparison of WP Engine and WordPress VIP.

---