More and more, I hear people blaming WordPress and/or hosting companies for their websites being compromised. Some have valid points and others have not taken the security measure necessary to protect themselves.
But…who's responsible for your website's security?
Ultimately, it's you! You own the domain name, you created it and you're responsible. If you don't take care of it, who will?
The developers of WordPress do take security very seriously. They're kind enough to provide us this great publishing platform for free, a place to report bugs and gives us security releases when known issues arise. However, no platform is perfect and immune. But just because you're using WordPress, it doesn't mean that WordPress is responsible for your website.
If you're on a shared hosting server or not using an SSL certificate, your site has security risks. Is it your hosting company's fault that you aren't on a dedicated server or chose to use rover123 as your password? Reliable hosting companies do their best to update the securities on their servers. And you have choices to be more secure.
Here's some questions to ask yourself…
- Do you think your site is immune or of no interest to a malicious hacker?
- Are you using a reliable hosting company like *Godaddy or *Hostgator?
- Do you use strong passwords? And different passwords for all the accounts you log into online?
- Have you set the correct file permissions (CHMOD) on the server?
- Are your WordPress installation and all your plugins up to date?
- Did you secure your wp-config.php file?
- Have you removed the roadmap obvious for hackers?
- Are you doing backups of your site and your database?
My list of questions could go on and on and I probably sound like I'm barking at you. But I'm begging you to use common sense and protect yourself now.
What can you do to protect your WordPress site?
The first thing you MUST do is take your website's security seriously!
And the second thing you must do is develop good security habits.
You can start with a few simple things like…
- Use strong passwords! Make them at least 14 characters long. Use a combination of upper & lowercase letters, numbers and special characters. Click here to create a strong password. Make it so hard that you don't remember and have to look it up every time.
- Use different passwords for your ftp login, hosting account, database and admin account for your WordPress.
- Don't store your passwords on your computer. Save them on an external or flash drive. And make it so that you have to look it up EVERY time. (Here's a good example of a strong password: !Q7,@+L{(.n/'bn'~.) You're probably thinking, wow that's extreme. But some people call me Sheriff Smola because I'm such a stickler for this.
- Change your passwords every couple of months everywhere you login online. Yes, it's tedious, but you want to be safe don't you?
- Keep your computer virus free! That means run nightly virus scans and please always update the virus definitions.
- Don't use a non-secure wireless network ANYWHERE! Did you know that a guy stole people's credit cards from a major department store this way and stole $millions? I wrote about it here.
- Read the article on Hardening WordPress and take these steps now.
I could spend all day giving you tips and solutions on securing vulnerabilities on your WordPress site, server, database and logins, etc., but I'd like you to at least do the above right now to help protect yourself and your website.
Please don't make the mistake that so many others do, thinking that your website won't get attacked. On Wednesday, April 15, 2010 over 200 websites were maliciously hacked with a virus. Here's my article about the Godaddy Ninoplas Base64 Virus.
Why do bad hackers hack?
Simply, because they can! They do it to steal your information, for money, to add another notch on their belt, impress their illegal hacker club, as a hobby or out of sheer curiosity. Criminal hackers are not prejudice. They don't care how big or small your site is or how much traffic you get. You're not immune!
If you need help, I'm here for you. But please don't email me for help and then tell me your username is ‘admin' and your password is ‘password123'. For some security plugins I recommend, download my free ebook, “7 Plugins for WordPress Security.”
Please share with me what you've done to protect your WordPress website and let me know if you have any questions. Just leave a comment below.
Securely yours,
Regina Smola
Follow on Twitter
*Denotes our affiliate link, see our Disclosure.
OMG! I love this post. You made me want to stop and change everything, even the LONG passwords because what you’re saying is so true. Thanks for reminding me of how important it is when it comes to my *own* business – it’s MY responsibility to make sure I do everything to secure it!
Thanks Regina! The world needs more webmasters like you that take their WordPress security so seriously.
GoDaddy gets a bad rap almost everywhere, but I see you recommending them. Until this weekend I never had a hosting issue, and I have no idea how good/bad other hosting services are in comparison.
Your thoughts?
My website was hacked too. Same scenario. I’m upgrading my software at the moment. This shouldn’t have happened.
I don’t think it’s a password issue. If they got passwords they could have done a lot worse.
I think it has something to do with weak CHMOD settings. I didn’t really care for mine. I did have them on 777 for the whole website.
So I think that’s what must have caused them to gain access.