Is Your Website Secure? A WordPress Horror Story

Is Your Website Secure? A WordPress Horror Story

Website security is probably not something you’ve thought much about, but website hacking is a major threat to your new business if you decide to go it on your own with a custom build or self hosted wordpress site. This is one of the biggest reasons we believe that using a website builder is a wise choice for first timers – all the security is taken care of and you’ll never have to really think about it.

Here’s a true story about what can happen if your site gets hacked and what you can do to prevent it happening.

One of the companies who came to us had a particular horror story to tell. They wrote an ‘empowerment’ blog, writing on everything from how to make money online, through to psychology and any topic which the blogger felt could help people get themselves to a stronger position than where they were, be that materially, culturally, socially or even spiritually. They are just an all round good egg… so much so they decided to host a burning social debate being live-streamed by a group of social activists.

Her first mistake was to not get their permission to do so, although, being a group largely consisting of anarchists, it would have been difficult to get a decision in time! So, believing that at least the messages would get to more people, she went ahead and dropped the code into her site to show the debate.

Being Hacked is No Fun at All

Two weeks later, she came back and her site had been hacked. This in spite of having taken some precautions with the likes of Akismet and one or two other plug-ins for WordPress, not having ‘Password’ as her password AND keeping anti-virus software up to date. The story got worse a few months later, when a so-called web host cleverly deleted six years worth of her work online in his efforts to sort out the issues. No back up…

One year on, she came across RealComparisons. She had set up a new blog, but her heart was not in it and she had hit a wall technically. She was being spammed ceaselessly, in spite of filters and a big mental block, was “What if I get hacked again?” She was busy running her business, but not being online was definitely holding her back.

One of the best things about using a Website Builder is that all of the backend security elements are taken care of.

- Mark Knowles,

11 Top Tips for Keeping your Website Secure

UPDATE: Keep your website platform or software up-dated. Whenever you see reminders to up-date, don’t procrastinate; your sticking your head in the sand is just what the hackers are on the lookout for.

PASSWORD STRENGTH: Vary your passwords online between different accounts. Don’t use simple passwords like your initials plus ‘1234’, or your dog’s name, or your baby’s. If you have multiple profiles online, hackers can simply put together the pieces of your identity! Would you drop information about yourself on pieces of paper around town? No. Of course you wouldn’t… This is the information highway. Keep yourself safe. If you need help remembering them all, check out ‘Last Pass’ that does the brainwork for you.

KNOW WHO YOU ARE LINKING TO: This is where our website owner above went wrong; she was too trusting of who she saw as her fellow activists! So called ‘open redirects’ are a common source of hacking. Have you ever clicked a link and been very sorry after? Now think about what those kinds of links can do to your website if you put them there. Link to authoritative or credible links only.

OPEN ACCESS, suPHP OR SIMILAR: O.K. a little jargon to learn here. Websites often use normal PHP – the code your site is written in. ‘Scripts’ (strings of code) run different software on your PHP site, like videos. With PHP your script is ‘open access’, making you more vulnerable to hacking. Every hacker obstacle helps! It is something worth checking with your website builder if they have other tools e.g. suPHP, FastCGI or mod_ruid2 and how easy these are to work with or if you can expect support on this.

HOST SERVER SECURITY: Some hosts have regular, active server monitoring. You have heard some of the stories of late of how even the big boys are coming under attack. Occasionally some of the successful hacks have happened due to inadequate monitoring of server activity. If you will be running E-Commerce on your site, you need to find out what you can about your host’s good house-keeping if you value your security highly.

VPS: This is another security issue worth checking this out. VPS hosting is different to ‘shared hosting’, which is more vulnerable to attack. Separation from other sites makes for added protection. VPS also allows you to create custom firewalls and install other security measures that most hosts won’t allow on shared accounts. Of course, a looking into having a VPS means you will take a more active role in learning about your website’s security and perhaps pay extra, but measure the cost against losses incurred by loss of trust of customers who no longer shop with you online due to bad experiences. Our advice is that VPS is something you should only ‘consider’ if you have the in house expertise as there can be a lot involved.

SSL:Think of this as ‘Signed, Sealed and Locked-Down’ (a little more accessible than the techy sounding ‘Secure Sockets Layer’). It is the standard security technology for sending private messages across the net and establishing an encrypted link between a web server and a browser. This should be a standard from your website builder as an added layer of protection for your website. This was another corner cut by our hacked friend. Put it on the list to ask your web builder about. Even if they blind you with science in answering, you might just learn something and at least you have another box ticked.

FTP: This stands for ‘file transfer protocol’. It is a way to upload to the internet and have your customers download securely. The best FTP software are very user-friendly but work better when your anti-virus is up to date! For instance, if you are using a free FTP program, (e.g. FileZilla) then a nasty virus picked up if your systems are not regularly updated will look for a file that FileZilla uses to store login credentials so you don’t have to type them in each time. All the information any hacker needs to infect your website with a nasty is right there in a fairly easy to find data file on your computer.

There is another way for hackers to ‘sniff out’ your information. The safe-guards are to use FTPS, SFTP or SSH. We appreciate this is starting to get a little technical here, so here’s a link to a video about FTPS and SFTP for those of you who want to suss this out for yourselves. Alternatively, simply message the Website Builder to ask them how they secure file transfers and let us know how you get on. We’d love to hear about this as it is such a common thing for website owners to offer freebie giveaway downloads!

REVISIT AND REVIEW: Read all of this again in another year from now and check to see if you have adopted all of the safety measures you can!

BE VIGILANT OR OUTSOURCE YOUR SECURITY: Keep an eye on comments being made on your site. Look out for bits of code that look suspicious; if you are clueless about code, weigh up the potential costs to your business of being hacked versus paying someone to look over your site every month or so.

ASK QUESTIONS AND LEARN: Whether you are a business owner, or an online hobbyist with a sign up facility, security of your data is crucial. With E-Commerce this is not an area to cut corners. Not only is your credibility at stake, but your bank account! Before signing up with any Website Builder, get in touch with them to ask how often they check their servers and update their operating systems and other software.

We would love to hear your horror stories and happy secure endings here on RealComparisons. Drop us a line to let us know which software you use and what you like about it in terms of security features.


Review by Mark Knowles Last Updated 6th May 2014

Check out