If you have a WordPress website, (30% of the world’s 2 billion sites are built on WordPress, making it the most popular website content management system of all), then please read on.
Firstly, here’s a simplified summary of what wordpress is and how it works. If you’re not too technical, it’s important to read this so you have a basic understanding of what has changed, and how it might affect your website.
WordPress (WordPress.org) is a free and open-source content management system (CMS) used by more than 60 million websites, and is basically a factory that makes webpages.
- You need a domain name which is your digital business address, and hosting(which is where the digital files are physically stored) to make it work. A wordpress site is built using codes called HTML, PHP, MySQL and CSS and some others – which all magically work together so that your site appears online. This can be likened to the foundations and framework of your house.
- The site is built using a “theme”, which controls the appearance of every part of the site. There are thousands of free and paid themes available. A theme can be likened to the finishes – the wall, floor and roofing materials, colour scheme and overall appearance.
- The clever things are powered by plugins. Plugins can do things like add sliding images, create forms to capture people’s details or incorporate search engine optimisation (SEO) information easily onto every page to help Google index your site. There’s actually over 55,000 plugins on the market (free and paid), all developed by coders to extend the functionality of your site. You could think of these as the things which make your house work, like electrical wiring, plumbing, air-conditioning, security alarms, skylights, stoves, fridges, toilets, etc. Some are essential features, others make life easier and better.
In essence, it’s a fantastic platform for creating beautiful websites quickly, and adding countless features to provide website visitors with a great user experience.
And most importantly of all, it’s yours. As the website owner, you actually own it and can do whatever you like to it, and host it wherever you want.
This is not the case when you create a site using SAAS (Software as a Service) platforms like Squarespace or Wix. You are limited when it comes to design and functionality options, and if you stop paying the monthly fee, your site will disappear instantly, and you will need to start all over again.
Security issues you need to be aware of
Unfortunately, websites attract attention from low-lifes who have nothing better to do than wreak havoc.
The two types of criminal groups who are out to do harm.
- The first are those looking to steal identities for personal gain. These criminals often operate in a stealthily, stealing personal information they can use to make false purchases elsewhere, or resell on the dark web.
- The second are hackers who are simply looking to cause disruption. They can cripple your site, causing prolonged down time and potentially revenue loss, or redirect your site to their own porno or ecommerce sites selling Viagra or even stolen goods, or non-existent goods. Sometimes they wreak havoc just for the fun of it, or to prove to themselves they can disable a business or organisation. These people usually work in a hit and run mode.
As hackers invent new malicious tools to invade websites, their efforts are continuously monitored by the WordPress team and other security companies, who work quickly to close back door access. WordPress issues security and functional updates regularly, and will auto update your site to the latest version, without you even knowing.
It’s up to plugin developers to also ensure that they keep their plugins up to date with fixes that foil security breaches, and to stay compatible with the latest version of WordPress. Many of them do, but there are also many who don’t, which leaves your website vulnerable to hacking and installation of malicious code.
Hosting can also be an entry point for hackers.
Recent combative security strategies
In 2018 WordPress, search engines and most hosting services made a number of major changes in an effort to combat hacking and identity theft. The key changes are:
- WordPress updated to version 5.0.1 to address some security issues and bugs with their new editing system
- Google Chrome, Firefox, Safari and other browser services started showing warning messages in browsers on websites that have not yet had an SSL certificate added to their site.
- PHP developers released version 7.2, which provides enhanced security and performance for wordpress sites and hosting.
- Many hosting services changed from FTP to SFTP for uploading files, and now provide daily backup services.
As a website owner, you need to ensure that you or your webmaster review these changes and implement what is required, so that your site continues to function correctly and stay safe. Not doing so could be catastrophic:
- You will certainly be at risk of being hacked through old plugins and themes
- You could lose valuable SEO “juice” and ongoing indexing by Google if you’ve not upgraded to an https:// site
- Your website functionality could break as the new PHP and WordPress versions don’t work with every plugin and theme, so these need to be replaced
- You could risk being rejected in the future by your website hosting service because your website is non-compliant.
WordPress update to Gutenberg
In addition to improved security measures, the latest WordPress update (5.0) in December 2018 is a major one from a functional point of view. The big change is replacement of the text editor (where you add content to your pages) with a block editor they’ve named Gutenberg.
Whilst in theory this is a good move, in reality many existing themes and plugins don’t yet work with it.
Most websites automatically updated to WordPress 5.0 in December and this caused chaos. A lot of websites lost functionality, as the new editor was not compatible with the installed theme or some of the plugins, or both.
At Commonsense Marketing, we acted quickly to restore our clients’ sites to version 4.9.9 and disable further auto WordPress updates.
This has been of major concern worldwide, with most professional web management companies indicating they will wait for a few months for WordPress to iron out bugs and improve compatibilities with future version releases.
With the rapid growth in websites, has come a proliferation of people starting up website hosting services. Some have grown so large, and so cumbersome to manage, that the quality of service has deteriorated. Like with purchasing anything, cheap is not always the best route to go.
Many years ago we started out with a large, cheap hosting company, to keep our costs and our clients’ cost low. Unfortunately the company has had security issues, several incidents of downtime, a very slow support service that is often delivered by someone who has limited technical expertise.
We’re now moving most of the sites we manage to a premium, WordPress specialty hosting provider, because reliable, fast and secure hosting is critical. Every minute a site is down costs the owner money.
A good quality hosting service should provide the following.
- Daily full site backups (not just the database) and storage of at least a month’s worth of backups, with an easy restoration if needed
- SSL certificates available for every website
- SFTP (secure file transfer protocol) to prevent interception of files during transfer
- Instant support from well trained, helpful technicians
- Instant notification if a plugin is causing security or performance issues
- An easy to use testing environment so you or your webmaster can test plugin updates before going live
- Speed – you need a service that will load your site fast in your main region
- Server maintenance – a host which adequately maintains their servers to ensure attacks are limited
Monitoring and maintenance
As with any piece of equipment with many moving parts, your website needs to be regularly monitored and maintained. It is definitely not a build and forget asset. It’s not up to your hosting service to maintain it, it’s up to you or your webmaster.
At Commonsense Marketing our hosting service includes a Website Care Plan for our clients which covers:
- keeping WordPress software up to date and testing compatibilities in a testing environment
- keeping all the plugin software up to date, and replacing those which are incompatible with the latest WordPress and PHP updates
- running backups daily to an offsite server
- running regular security checks to detect malicious software or brute hacking attempts
- running software that helps to speed up the website
- making changes when responsive issues detected
- checking for broken links and any other issues which affect Google indexing
- checking and deleting spam comments
- ensuring the SSL Certificate remains valid
Your wordpress site is a very valuable asset, which needs to be functional, 24/7. We make sure it is.
What to do now if you’re not sure about your site
If you’re not sure whether your site is secure and complies with the latest security and WordPress updates, please get in touch. We can do a quick audit and let you know if there’s any thing that needs doing, or if there are any potential vulnerabilities.