INTRODUCTION: The Dangers of the Internet®

There’s nothing like the launch of your beautiful new WordPress website. Each time you show it off, you get a rush. As the designer, I get my own version of that high as I release my creation into the world.

Unfortunately, the world can be a scary place. Not all the denizens of the web are there to learn something, shop in their underwear, or look at cat GIFs. Some of them mean you, your website, and your customers harm. They exploit weaknesses in code and poor security practices to steal information or simply brag about their feats. Your reputation and revenue are irrelevant to them. At their worst, their entire aim is to lose you money and trash your hard-earned SEO and reputation.


PROBLEM: Everybody Goes After #1

The race between those who seek to protect their sites and those who seek chinks in that armor is intense. WordPress, the most popular Content Management System in the world, runs over 25% of all the websites on the internet. As you can imagine, that means WordPress has a target on its back. If a hacker discovers a vulnerability in WP, s/he can use it on as many as one site in four. That’s much more efficient use of their time than finding vulnerabilities in other sites one or two at a time.

That same popularity, however, means there’s a thriving developer community who uncover and patch those armor chinks as fast as they can. Security patches crop up for themes, plugins, and the WordPress core with regularity. If you want to avoid getting hacked, you must install those updates.


SOLUTION: Armor Up On the Regular

A website is not a set-it-and-forget-it tool for growing your business. The evolving nature of the web makes that impossible. While it’s natural that your focus shifts to other things after launch, the less you update its vital code elements, the better target you make.

The very best thing you can do for your site is also fairly simple: keep your code up-to-date. That army of awesome developers releases updates because they found a problem and they worked hard to fix it. Because your WordPress instance is under your complete control, however, they can’t just push it to you. You or your authorized agent needs to install the fix. If you have a managed hosting package with WP core updates included, perhaps that’s one thing you don’t have to worry about. But other aspects of your site, like plugins and theme code, need to be maintained too, and updates are one of the most important ways to keep your armor in high shine.

Until recently, I mentioned but didn’t push my maintenance packages to clients. I work primarily with small businesses and nonprofits. I know they don’t have much money for extra expenses nor time/expertise to do code updates themselves. This double-bind is tough, and I’ve been hesitant to make it tougher by lecturing them about The Dangers of the Internet®.

This hesitancy, I now realize, does them a disservice. Yes, it costs money to buy a maintenance package. But what would it cost to recreate a site from scratch when it’s been infected to the point that it can’t be saved? Ben Franklin was right, “An ounce of prevention is worth a pound of cure.”A hacker trumpets that they hacked a site with a custom page.

EXAMPLE: A Worst Case Scenario (That Wasn’t Even That Bad)

Recently, a client with website I set up last year was hacked. She had no maintenance package in place and had left her site alone for months. The site hadn’t been kept up-to-date, even thought I touched base with her and mentioned it. That’s all one hacker needed. Her site didn’t have e-commerce so it wasn’t a rich target. All the hacker wanted was to gloat. And gloat s/he did, in a static HTML page that took over the domain and featured some truly remarkable design.

I’m only sorry you can’t see the animations looping text across the screen and fanning the flames of the skeleton. Just what upstanding professionals want when they send users to check them out online!

Because neither she nor I checked her site constantly, we’re not sure how long it looked like that. I suspect only a few days but can’t be sure. I was alerted by a potential client who had been browsing my portfolio and followed a link to her site.

I immediately got to work fixing it. Fortunately, it wasn’t a complex hack. I was able to restore the site within an hour. For being a worst case scenario, this wasn’t even that bad.

It can be complicated and time-consuming to restore a hacked site. It might require hiring a separate firm to handle the code clean-up or rehabilitate your domain with search engines and browsers. Hacks that involve malware or phishing software can be flagged by your browser. Your site will not just look hideous but dangerous. Check out the warning from Firefox:

Firefox Hacking Error Example

If I were someone who’d just googled you, I’d run and never look back. Google’s process for removing the warning on a flagged domain takes between a few days and weeks to finalize. You can only start the clock after the code is clean, not when you notice the error, so any cleanup time just runs up costs even further.


MAINTENANCE: Make Yourself a Hard Target the Easy Way

Don’t leave your site – the hub of your online presence – to languish on its own. The hit to your reputation and revenue, and the potentially giant clean-up bill, is not worth the few minutes or dollars you save avoiding maintenance.

Step 1: Check your public site at least monthly.

Not just the homepage but all your major pages and perhaps a few blog posts, too. Click around and think like your users.

Step 2: Check your dashboard for updates you need to install at least quarterly.

Do something about pending updates as soon as possible. Either run a backup and update it yourself or outsource this effort to me or another developer. If you outsource it, you don’t have to worry about this step at all.

Step 3: Check your analytics.

If you have Google Analytics or a similar service on your site, take a look at the reports. See how users are browsing your site. If you don’t have this service, consider adding it. It is especially helpful if you have a blog since it improves your understanding of how different posts and themes resonate with users.

The 20 minutes you spend browsing your content and analytics could save you some trouble. Avoid phone calls about old or conflicting policies, alert yourself to bad links on the site, or identify content users are really responding to so you can capitalize and create more of it.

Stay Safe Out There, Gang!

The world may not be entirely safe, but you can avoid being entirely vulnerable to its dangers. Godspeed, and let me know if I can help.