Security protection and updates are a key element of the services RED provides to clients on an ongoing basis. We specialize in WordPress websites, and an important part of having a WordPress website means keeping up with maintenance and security updates.
We offer monthly security packages that include regular website backups, security monitoring, upgrades, testing, and more. Threats are ever-evolving, and no website security system can realistically promise to protect you from every threat, so hack clean-up is also included in the unlikely event that someone does break through our multi-layer protection.
Why should you keep your WordPress website updated? See the stats.
Today, we want to look at some actual statistics from the websites we manage. We’ve been tracking security incidents on sites we manage for about 18 months, and already the statistics give clear indications about why it’s important to keep your website up to date.
As of July 2019, out of 160 active WordPress websites, we have noted 37 security incidents on 29 websites. 29 out of 160, or 18%, might sound high, but it’s important to note that only 3 of those websites were sites who signed up for a regular security monitoring package. 3 out of 160 is a rate of 1.9%. When we noticed incidents on websites we weren’t actively monitoring with a security package, we alerted the clients at that point to request permission to clean up and update.
Of the 37 incidents noted:
- Only 7 of the incidents were on sites we were monitoring regularly.
- Of those 7, 4 were repeated attacks on the same website, so only 3 websites we regularly monitor were hacked. The repeated attacks on one site were due to the hosting provider not granting us the ability to change hosting account passwords and FTP passwords. Since we moved that website to a new host, there have been no more hacks recorded on that site. In a similar incident on the same host, we insisted that the hosting provider tech support change the FTP password, which halted the incidents on that site for a time. Unfortunately, the host continues to have poor security, so the site has fallen prey to attacks again since then. The client will be changing hosts shortly.
How do hackers break into a website?
There are several common attack points:
- Brute Force Attack
We protect the websites we manage against brute force attacks, but if you use an unsecure password, or a password that has been previously leaked, hackers can still get in sooner or later.
- SQL Injection
SQL is a database management language, and if your website is not properly secured, a hacker may be able to use a vulnerability to insert code directly into the database behind your website.
- Old WordPress and PHP versions
These older versions may have known and exploitable vulnerabilities. Keeping your website software and plugins up to date has always been the best way to keep your site secure.
- Unsecure hosting practices
Hosts may not offer up to date PHP software versions, and older versions no longer receive security updates. They may not give you appropriate access to change passwords. They may not allow you to set appropriate file permissions or ownership. Looking for a host? Check out our hosting recommendations.
Our statistics show outdated plugins as the most common entry point
- 18 incidents occurred due to known vulnerabilities in plugins.
These incidents could easily have been avoided by updating plugins on a regular basis. It’s clear that this is the top WordPress security tip.
- 8 incidents were due to unsecure passwords.
- 6 incidents were due to security issues on the part of the website hosting company.
- After any incident, we review our security practices to see if we can improve them and tighten things up, and our strategy pays off. We see fewer and fewer incidents on sites we monitor actively.
Why do hackers break into websites?
Often hackers will try to install shell scripts, giving them access to come back to the site at any time, and do anything they want. This is rarely a real person. It’s usually a broad effort to find any website with security holes a “bot” can exploit.
Here’s how our own stats compare to those of the users Wordfence surveyed. I’ve eliminated the ones we have not experienced from the chart:
Defaced Site / Took Offline
This has only happened to one site that we know of in the sites a client asked us to investigate. It is important to store your website backups off site. With a backup stored on a different server than the one where you host your website, you can restore your website if this happens to you.
This has happened to two of our clients. The hacker installs a script that emails spam from the domain. When the domain ends up blacklisted, the hacker simply uses another website. In the meantime, your website can end up blacklisted by mailing services or your host.
In the hacks we’ve seen, this is by far the main reason websites get hacked. This can cause your SEO results to tank once Google catches on that your content has been replaced with spam. Google will post warnings to users that your website may be malicious, further harming your click-through rates.
If you go to Google and enter “site:yourwebsite.com”, you will see your top results. If they look anything like this, you need to do some clean-up:
In this example, you can see results in multiple languages, when the original website is in English. Google places a “This site may be hacked” warning on the search results, to alert users to the risk of visiting your website.
A malicious redirect can send a user to a spam website or to a website hosting malware.
Your website could be used to further spread infection to other websites or to visitors’ computers. This could take the form of a pop-up, encouraging the visitor to click on a link for one reason or another. For the unwary, this may appear to be a legitimate link. Rather than even clicking on “close”, which may itself lead to the malware – close the browser window completely if you ever happen upon such a warning on a website.
Host Malicious Content
A client once caught his website showing undesirable pop-ups. This will affect your website’s reputation both with Google and other search engines and with your clients, and computer protection programs may warn your visitors against visiting your website.
As with some of the other spam issues, this type of attack actually sends spam referral links to your Google Analytics dashboard, leading you to possibly click on the link to see what the website is. Read more about this type of hack here.
How does a hack affect your website?
If a hacker does break into your website, your site may be affected in a number of ways.
- You may lose website content, and have to restore from a previous backup.
- Your Google rankings may be affected.
- Google may note that your website is dangerous, warning people against visiting it.
- Your website’s reputation may be affected if the hacker sends out spam from your website. People may lose trust in your organization.
- Your site may be blacklisted by email services if the hacker sends out spam from your website.
- Your real emails to clients may go to spam folder or be rejected.
- Your web host may shut down your website until you get it fixed.
As you can see, both your organization’s reputation and your SEO value are on the line.
It’s important to keep your website secure. If you’re interested in learning more about how RED can help keep your website secure on an ongoing basis, check out our security package offerings.
Questions? Comments? Let us know.