WordPress powers more than 20% of the web, or about 75 million sites, and is steadily becoming more pervasive. The massive WordPress community has helped secure the platform by quickly identifying and resolving bugs, glitches, and security flaws. But, as WordPress evolves so have the abilities of attackers. WordPress security is changing rapidly—here’s what you can do to decrease your vulnerability.
Protecting Yourself Against Hackers
The sheer size of WordPress has made it a huge target for hackers. So, it’s important that site owners practice safe security habits–like using strong passwords, and installing trusted plugins and themes. The largest, most established websites have always been better protected than small, personal sites because the stakes are greater for larger companies. Now, the fundamentals of WordPress security are rapidly changing, and personal and established sites under attack.
Over the past few years, a new threat has been rising– botnets. Botnets are armies of zombie computers that have been infected with a virus or malware. They roam the web looking for the weakest sites to attack. Unfortunately, one of their most preferred targets is WordPress. Botnets prey on sites with bad passwords and broken themes; they also prey on security flaws in old WordPress versions. So, while WordPress is steadily evolving to protect itself from hackers, sites that lag behind in updates are likely to get eaten.
When a botnet breaks into a site, it becomes a distribution point for whatever malware that’s powering it. The site will then start infecting its visitors and feeding the botnet. With every site the botnet infects it grows stronger.
How to Stop Them
Security is always a community effort, but botnets reinforce our need to protect the weakest sites in our community. We not only have an obligation to our community, but our own safety also depends on the protection of all WordPress users. We can’t just increase the maximum level of security available, we also have to raise our baseline defenses in an effort to provide better protection for everyone.
This is what prompted the automatic updates feature that was added to WordPress 3.7. Offering better security to maintained websites simply isn’t enough–we need to find ways to protect abandoned and infrequently updated sites as well. Automatic updates have been controversial because many people worry that an update might break their site, so they want to test it first. This is scary for the skeptics because the automatic updates is the default for all WordPress sites. There is very little reason to fear automatic updates because the update process is very careful and unlikely to break a site. But, for those of you who are still skeptical, have no fear because this feature can easily be turned off.
Automatic updates help us stop feeding the zombies. Botnets are a serious threat to the WordPress community, no matter how good your security is. The bigger they get, the scarier they are, and 3.7 is a huge step forward in starving their armies.
Check out this WordPress Security Checklist to ensure your website’s safety!
What do you do to protect yourself from hackers?
Brennen Byrne is the CEO and cofounder of Clef, a security plugin for WordPress. He speaks about security across the country with a focus on making security approachable and interesting to non-technical audiences. @brennenbyrne on Twitter.