WordPress : Tales Of The Unexpected


Referring back to an article we wrote at the beginning of January entitled Don't Try This At Home, we talked about the do-it-yourself (DIY) web design market. At MW Web Design, we're not keen on using pre-designed templates, generic themes and open source frameworks (the ones you can download for free, install in five minutes and build your own blog in less than a half a day with). Our website design focus has always been on originality — blending simplicity, uniqueness and effectiveness all together into one.

Needless to say, we're not huge fans of WordPress even though we realize that there's definitely a place for it in today's Internet age (one source states that "WordPress is used by more than 13% of one million of the largest websites on the Internet"). Being so economical, it's the preferred choice of the DIY market, becoming more and more popular as each month goes by. We've seen some absolutely beautiful works of art created by professionals who specialize in using WordPress. Unfortunately, however, if you're considering hiring a friend to create your web presence, you need to be a bit careful these days because it appears as though almost anyone with the slightest bit of WordPress knowledge or experience may consider themselves to be a web designer and a marketing consultant. "Just another WordPress site" — how frequently we see this phrase written across the top of many of the average personal and company blogs we visit on a daily basis.

As economical as it is, WordPress is still technically referred to as a self-hosted blogging tool. Over the years, it has evolved into a content management system and much more through the use of additional software designed to extend its core functionality. If what you're after in a website is the ability to perform updates by yourself (in other words, to post daily and weekly news at your own leisure), remember that the initial thrill of having a blog can wear off really fast. The chore of maintaining a blog can become overwhelming when business picks up and you're too busy to post. How many times have you landed on a blog only to see that the most recent post is six months old? This doesn't look good to a potential customer (ie: "hello, anybody home?"). If your company's Internet presence was built with a blogging tool, be prepared to keep it up to date if you want to get noticed. Not with those two-sentence "Hi, today's a wonderful day! Rejoice! See you again tomorrow!" kinds of posts but with helpful and interesting posts. You can try all the search engine optimization (SEO) you want but there's nothing better than posting regular and informative news and updates for your visitors in order to gain visibility on the Internet.

What really concerns us the most about the average, non-technical user going the WordPress route (often with the help of a friend who's "really good" with computers) is a different story than what we've talked about so far, though. This is a true story which inspired us to write this article in the first place — in the hope of helping others to not make the same mistake as the one which was made here. Below is a screenshot from a colleague's WordPress blog which went up on the Internet just a few weeks ago. From the moment the blog was uploaded to the web, it took less than seven days for the "damage" to be done:

The above screenshot was edited for anonymity, however, the altered links remain intact in order to demonstrate what happened to this particular blog

Our colleague didn't discover the damage — we did. Naturally, our colleague asked "how on earth could this possibly happen to a brand new blog?" Unfortunately, WordPress has become a target for hackers. An old version of WordPress was used by the blog builder who did the work for our friend. And this is almost always where the problem begins — it's why the above blog was "hit" in such a short period of time. Never use an old version of WordPress. Always use the latest version and be very careful with any additional plug-ins you choose to install (do your research first and check out the feedback before using them).

The last major security issue was found in WordPress 2.7 which was released in December of 2008 and although only minimal security issues exist in later versions (the very latest version at the time of writing is version 3.1), there are still many factors which can affect the security of your blog. As of today (March 31st, 2011), there are 263 WordPress-related Security Advisories listed on the Secunia website[1]. Secunia is a company with a serious reputation for identifying and tracking vulnerabilities in computer software.

Since hackers use a number of techniques for gaining unauthorized access to your WordPress blog, here are some guidelines, tips and advice which should help you to keep your blog secure:

1) Many people don't even realize that their blog has been hacked until someone else points it out to them. Go to your blog and monitor your pages every morning and every evening (do this even more frequently if you have the time). Keep a watchful eye on things and don't "advertise" the version of WordPress you're using!

2) If you're technically inclined, analyze your log files and when in doubt, always be sure to contact your web host for advice. If you're on a shared server (like millions of small businesses are), be sure to ask your web host about their security precautions — particularly for free and open source libraries (ie: PHP)[2].

3) Since malware can easily be introduced through a compromised desktop computer, be sure to routinely scan your hard drive using a good anti-virus software application to prevent the possibility of someone stealing your usernames and passwords.

4) Read our Internet Security article from November of 2010 for some tips on securing the client side of your network (we're referring to your home network here).

5) Use strong, complex passwords and change your passwords frequently. Don't use passwords like "admin", "test" or "password"!

6) Be sure that your secret keys are set up (and if necessary, change them).

7) Check your .htaccess file for hacks (again, here's where your web host can be of help if you don't know much about this file — redirect is the keyword).

8) Take a good, close look at your file permissions and database security and make whatever changes are necessary in order to "lock them down".

9) As previously noted, always upgrade your WordPress installation to the very latest version. And don't just stop there. Check for updates regularly — when a newer version is released, upgrade again.

10) Perform regular backups so that you can easily restore your blog in a worst-case scenario. If you don't do this, you'll have to start from scratch which isn't a whole lot of fun (think hard drive crash here — there isn't a great deal of difference between the two).

11) Install and run the WordPress Exploit Scanner which looks for any suspicious files on your blog.

12) If your blog was hacked, this FAQ can help.

There are many other things you need to be aware of when using WordPress. In concluding this article, we'll point you to a page entitled Hardening WordPress which we found to be very helpful. Whether you already use WordPress or if you're simply considering using it, take some time out and have a good look at it.

When it comes to adding a blog to your website, there are other options aside from the blogging tool we've focused upon in this article. If you're interested in adding news updates and blogging features to your website, feel free to call us to discuss these options. We like to keep things simple at MW Web Design — keeping things simple works to your advantage with fewer headaches, very little documentation to read and much less maintenance to be concerned with.

References And Footnotes

[1] Note that these Security Advisories do not all necessarily pertain to WordPress itself — many of them pertain to third-party plug-ins and themes which have been designed to extend WordPress.

[2] You may wish to check out the recommended web hosts at WordPress. You can also have a look at creating a free blog while you're there if you don't need a full web hosting solution.

Blog Articles


Sites Recently Completed Or Updated

Move your mouse over a link below for a web site design preview. Click on a link to visit a web site: