In this episode I talk to WordPress security expert Chris Varnom about how to make sure your website is secure. Invariably I see on a monthly (and sometimes weekly) basis reports of author websites being hacked, so I thought this was an important topic to cover on the show.
Tim Lewis: Hi Chris, welcome to the show.
Chris Varnom: Hi, Tim. How you doing?
Tim Lewis: Not too bad. We’re talking about website security today. Why should authors be worried about the security of their WordPress site?
Why is Security Important?
Chris Varnom: Not just authors. It’s anybody, to be fair. I’m guessing that most authors use their WordPress site to provide people with information about themselves, about the current books, their up and coming books, etc. Sometimes I think they use the site as a blog as well, to get traffic to the site also. The actual website, their website, it’s very important to them as a person, and individual, and as a business.
In some cases, authors do use their WordPress website as like a store to sell books and stuff like that. I know a lot of authors use Kindle, but some do have an on-site store. If anything were to happen to the website or the store, it could affect the traffic. Could also affect user confidence, because the website’s been hacked. How safe are the credit card details going to be? Those types of things. Also it can affect your Google rankings, as well.
If you get malware on your site, you’ve also got the problem as well, where if you get injected with possible re-directions in the code and stuff like that, your SEO rankings start to be wrong, and your links get sent to other places. Get diverted to porn sites and other dodgy sites. A lot of people obviously, wouldn’t want that to happen because it affects people’s confidence. It also affects your brand.
It’s very important for the security to be on a WordPress website and any website for that matter, to be kept as best it can be. You need to consider that your site is generally a major part of your revenue stream, normally. Every hour that site’s down is another hour where you’re not making money. Also, your readers will look elsewhere, possibly. It begs the question, how much is your website worth to you?
Tim Lewis: What would you say is the most common security issue you see with websites?
Common Security Issues
Chris Varnom: With websites in general, it’s normally the backups but from a WordPress perspective, it’s generally where people don’t keep their websites up to date. The WordPress version’s not up to date, the plugins for themes, etc.
Going back to the backup of your site, which is imperative these days, you’ve got the issue where some people do a backup which is great, but they leave the backup on the server. If anything happens to the server, then they lose the backup. Also they lose the site.
They’ve got nothing to go back to. As you can understand, that’s pretty bad practise. My recommendation is that you would have a backup performed regularly. Every day, and the backups are stored in a remote location. Something like Amazon S3, Google Drive, OneDrive, those types of places. Dropbox. The security of the plugins, the themes, the WordPress version and backups are the main issues that I see. So many people don’t do the updates, and they’ve got so much out of date software it’s untrue.
Tim Lewis: Is there any backup software you would recommend like plugins, or anything like that? Also, I suppose some people would ask, why is it important that people have backups?
Recommended Backup Solutions
Chris Varnom: There’s lots of backup solutions out there. Backup Buddy, UpdraftPlus is the one that we use. We use the premium version. All of our client sites are backed up with UpdraftPlus. The backups are actually stored in two remote locations. All the backups are encrypted. One of the backup locations is Amazon S3. The backup plugin of choice from our perspective is UpdraftPlus. UpdraftPlus is well maintained.
It’s got great reviews and has quite a large install base as well, I think. Over a million sites. You can get away with using the free version of UpdraftPlus. It has the provision, I think, to backup to quite a few remote locations. Although if you wanted to say, Amazon S3 then you would have to pay for the premium version because that is a premium option for some reason. Your second part of the question was, why would, what was the second part? Sorry.
Tim Lewis: The second part of the question was, why in your mind, are backups important? How does it make your life easier as somebody trying to recover the site that there are decent backups?
Chris Varnom: Generally speaking, it’s usually you can rebuild the site in a matter of minutes as opposed to having to start again from scratch. With UpdraftPlus for example, if you wanted to restore a site, you just go into UpdraftPlus and click the restore. That restores it back to a particular date. The issue that you’ve got is, if the website has been totally hacked and defaced, and you’ve got no access to those backups, you’ve got no access to UpdraftPlus, you have to build your site up again from scratch.
Install WordPress, install the Updraft plugin, then authenticate it back to wherever your external backup location is and then do your restore. Import the backups, and then do the restore. That can be seen, I suppose, as a technical thing. A lot of people don’t like to get their hands dirty in that respect, and it could be quite confusing. That’s why we offer, and there are other people out there that offer the type of service to help you, get you back up on your feet again very, very quickly.
Tim Lewis: What are the best ways that somebody can make their site more secure, in terms of making sure that they don’t have to end up restoring from a backup?
Keeping your site secure
Chris Varnom: As I previously mentioned, updating WordPress, the themes and plugins, that’s really paramount. As you can understand, any outdated software is possibly entry point for hackers to gain access to your website. The idea of the updates is that they actually plug holes which stops the hackers compromising your site. From WordPress version 3.7, WordPress automatically updates itself with minor versions when they’re released, but there is a caveat there. It doesn’t update the major versions.
If it goes from say, 3.7 to 4.0 then you would have to still log into your dashboard. Then click the upgrade, install version 4 of WordPress, unfortunately. Some web hosts do actually do the automatic updates for you with WordPress. I know that SiteGround do. They do them 24 hours after the version’s been released. You also have to look at updating the PHP, the Apache, and also the MySQL server. You need to get the latest versions of those, as well. That’s a bit more tricky.
This is generally done by the web host. There’s quite a few that don’t do it, so it’s worth checking with your host to make sure that you are up to date. If you’re not up to date, ask them to perform an update for you. If they refuse, then maybe time to look elsewhere for your hosting. That obviously is down to budget constraints. The other thing is that you should look at when you’re looking at doing the updates to your themes and your plugins is also look at the themes and plugins that have sat there deactivated.
Deactivated plugins and themes don’t get updated. If you’re not using them, remove them. Simple as that. Just because they’re deactivated, the software is still installed. That means that people can still gain access to that software even though it’s not activated, because the software is still installed on the server. You should also look at removing old versions of WordPress.
You may, when you’ve installed a new version of WordPress, the actual tidy up and cleanup routine has not removed everything that it should have done. The only way to really see if there is anything still there from an update, is to log in to your WordPress site using FTP, or go in through the cPanel file manager. You can actually see the folder structure there. In there, you should be able to see such folders example backup, documents, dot old, old WordPress, something like that. If they are there, just delete them.
It’s quite safe to delete them. If you’re unsure about whether you can delete them or not, you can always go back to your host provider support. They should be able to help you understanding whether the folders that [00:10:30] you think you’ve got an issue with are ones that you can delete. If they are, they should delete them. What other things are there? You should delete your themes, your plugins, and extensions that are not maintained. What else we’ve got? I’m looking from a software perspective now.
Tim Lewis: Are there any particular kinds of plugins that people should be careful about installing? Is there a issue about having too many plugins making it more vulnerable, or anything like that?
Chris Varnom: Having too many plugins can potentially slow down the responsiveness of your website. That could be deemed not so good in Google’s eyes, because now they are putting some focus on page load speed and things like that, and responsiveness. Too many plugins, it depends. If you’ve got hundreds and hundreds of plugins, then that’s a serious issue. Generally, people have plugins for doing their normal tasks that are required for the website.
As long as everything’s up to date, they shouldn’t have an issue. With regard to other things that you should be looking at with your website to keep everything secure, you should also look at your admin accounts. Some people are using cPanel. Some people are using Plesk which is a cPanel alternative. Logging into your WordPress, then going into your users, then old users menu. Then clicking on administrator at the top, you should be able to view all your administrative level accounts.
You should make sure really, that you can recognise all those different admin accounts that are there. If you don’t recognise an account, then the chances are maybe you’re no longer authorised admin account. You may have been hacked. It’s at times like that when you don’t know, you either have to contact people like us or your hosting support to try and understand if it is a proper user or it’s a bogus one. You should really delete any admin accounts that are no longer needed.
Then, don’t have an admin. An account called admin. You should rename that as something else. Use a really ambiguous name. Something that no one would guess. We recommend using different letters and numbers, as you would a password. That’s one thing that you should do. You should rename your admin account. Your other thing is, you can actually rename your WP login. There’s plugins available in the WordPress repository. Free plugins that will do that for you.
You also should be using strong passwords. Your strong passwords are the ones where you have upper case, lower case letters, ampersand, star. Those types of characters. Numbers. We used to recommend something around about the 20 characters minimum, for a password. I know that sounds ludicrous. I know that sounds, “Oh, I’ve got to remember another password. How am I going to do this? I can’t have different passwords for all my different accounts.” Yes, you can. There are tools available such as LastPass. There’s also KeyPass, 1Password.
Password managers that allow you to generate random passwords and they store them for you. We use LastPass, because you can sync it between all your devices. We also use passwords of 40 characters in length plus. Just because brute-force attacks and dictionary attacks, all those types of things that people are trying to use to gain access to your site, you might think that, “Oh, I’m only an author. I only write a couple of books. I’m not bothered if someone hacks my site. Not bothered, sorry. My site would not be on a hacker’s radar.”
They don’t pick and choose. They just go for anything. They actually do use software to go and find sites that are vulnerable. It’s then reported back to them, and then they use another piece of software to go and start hacking the site. No one’s safe. Doesn’t make a difference who you are. You’ve only got to look at the NHS a few weeks ago with the Ransomware thing. It wasn’t a direct target to the NHS, but other countries and other companies were majorly affected by that. You’ve got to be very, very careful.
Alongside the password is also, we use something called Two-factor authentication. Two-factor authentication is where you have a secondary device which you have normally on your person. Normally a mobile phone which runs an app that generates a unique key that’s requested by your site when you go to authenticate, log in to your site. We use the Google authenticator application. There’s a plugin called Google authenticator.
I think it’s currently at version 0.48 in the repository. It’s free. Install that. Activate it. Then you need to go and download the Google authenticator app which is available free of charge for both your Android or your Apple device. Then what happens is, when you actually go to authenticate your WordPress site in the future, you’ll be asked for the Google authentication code from the app. You would go into your mobile device, get the code and enter the six digit code.
That code is only live for probably 30 seconds. Then it changes. That code, it’s not like the six digit code is the same all the time. It does change, and it rotates. That’s an extra level of security that you can use on your website which would stop your brute-force and dictionary attacks. What other things we can use, that’s probably the easiest way of, without getting too technical. The next thing you can do is by creating rules in your .htaccess file. Now it starts getting really complicated.
It’s probably something that the normal run of the mill user wouldn’t want to get involved with, because if something goes wrong with your .htaccess file, you can be simply locked out of your website. You can never get back in, unless you FTP back into your server and then restore back or change the .htaccess file and remove what you’ve added. It can get quite technical. There’s loads of different things and clever things you can do with your .htaccess files. Very, very clever.
Tim Lewis: I’ve got a slight follow up question. For those maybe more advanced authors and people with virtual assistants and the like, how does authentication work with them? Can they set up multiple people to receive these log in messages? With …
Chris Varnom: The Two-factor authentication?
Tim Lewis: Two-factor, yes.
Chris Varnom: Sorry. Yes. The Two-factor authentication is actually activated on a per-user basis. If you wanted to switch it off for your virtual assistant, you can do but then obviously, you leave yourself a little bit open to those accounts being attacked. My recommendation would be to educate the VA to install the Two-factor authentication app so the Google authenticator, it’s very easy to do. It’s very easy to sync your mobile device with your website so it adds it into the app on the mobile device. You can have multiple Google authenticator apps.
Say you’ve got one for your WordPress, you’ve got one for your LastPass, because I use Two-factor authentication for LastPass. I use it for my Key CDN, for my contact delivery network. I’ve got all these are in the actual Google Authenticator application on the mobile device. You scroll through, find the right one, and just punch in the code. It’s quite an easy system to implement. It’s one that is probably, it is one of the easiest things to do without getting too technical.
Tim Lewis: If somebody is looking to hire somebody to deal with their WordPress site for them, what should they be looking for in terms of somebody who’s going to take care of the security for them?
Chris Varnom: This is a very, very difficult question to answer because it’s all down to trust. At the end of the day, it’s all down to trust. You’re looking for a company or a person that specialises in the platform which you want the security to be set upon. Ideally, you’re looking for a company that is trustworthy. Unfortunately, there’s no code of conduct out there. It’s not regulated in any way, so anybody could offer security services. There are a lot of hackers out there that offer security services, believe it or not, because they have the requisite skills to obviously, they know how to break in to sites. Obviously they know how to stop it happening, as well.
Like I say, it’s down to trust. Trust is a huge thing when it comes to security, especially when you’re going to be handing the keys to the kingdom, to them. They will need administrative rights to be able to perform the necessary tasks to lock down your website. As with any business transaction, I’d recommend that you do your due diligence before diving in. Go onto Google, because Google’s your friend. Do a search for that person, that company. See if there’s any bad reviews. Those types of things.
I know that some people don’t have the time to do that, especially if you’ve been hacked you want to get your site back up and running as soon as possible. They don’t have time to go and do the due diligence. That’s hard to say, isn’t it? We’ve been involved in the IT security business since 1999. We weren’t working obviously, with WordPress at that time, but we were working with small to medium size enterprises providing firewall solutions, et cetera. We’re passionate about it. We got involved with WordPress, probably just over four years ago.
We offer specialist solutions to recover websites, also managed security solutions, as well. There are other companies out there. You’ve just got to be very, very careful. Why would you trust me? I don’t know. I’m a nice guy, hey. I don’t know. It’s very, very difficult. Usually you need to do your checks to make sure. Normally people are referred. People have got a good reputation, they’re normally referred by other people but it is difficult. I can’t stress that you need to do the background checks. Google generally, if someone’s done a bad review and you put in scammer or bad reviews for whatever company or person, then it’s going to come up, isn’t it? That’s what normally happens.
Tim Lewis: I’m not going to type in Chris Varnom bad review. If somebody is in the position where they think their site has been hacked, what should they do in the first instance?
What to do if your site is hacked
Chris Varnom: In the first instance has two words. Don’t panic because people, once they start panicking, everything goes to pot. Firstly, do not panic because you may not have been hacked. Your site just may be down. It may be inaccessible. Your web host may be doing some maintenance. The first thing is, don’t panic. The second is, you need to determine if you have been hacked. Generally if you have been hacked, when you visit your website on the main page it sometimes displays something along the lines of, “This site has been hacked by,” such-and-such a body.
Hackers, for whatever reason, are notorious for leaving their names on the first page of the website. They want to be recognised because they’ve done it. That’s obviously a dead giveaway. However, there are the times when someone’s gained access to your site through some dodgy software, software that’s not been updated, and they’ve left some files within your file system which allows them to gain access at a later date. At that point, you don’t really know. It’s very difficult for the layman on the street to determine which files are okay and which files aren’t.
It’s at that point where you will probably get a specialist company in to assist you, to help you. Before you probably do that, you may want to contact your hosting company. It may be easy for your hosting company to recover your website from a backup that’s been done prior. Some web hosting companies do backups and hold backups for 30 days. If you went back to a time when you know that your site was okay and then do the restore, then if it’s available and the main page is back to normal as you would expect, then you can log in to your WordPress dashboard and do all the necessary updates that you need to do.
Removing deactivated themes, deactivated plugins, and get yourself up to scratch from the software update perspective. The next thing that you could possibly do as well is then instal a security plugin. If you don’t already have one. There’s many security plugins out there. One that I would probably recommend would be Wordfence. Wordfence is a very good security plugin. However, you need to be careful with Wordfence because when it’s running and when it’s doing scans, it can use a lot of CPU time.
When that happens you may get, especially if you blow out your CPU usage on a particular day, you may get your account locked out til the next day. You’ve just got to be very, very careful with things like that. The other, if you are unable to get your site restored by your hosting company, then you have to go back to installing WordPress again. Installing the, if you used UpdraftPlus you can also look into using UpdraftPlus or another backup plugin.
Installing that, then trying to restore your backup from whatever you’ve got if it’s not been stored on the server and it’s on an external device, stroke remote location, then restoring it from there. Seeing if everything goes back to life then. If it does, then you obviously need to log back in and perform all your updates, making sure that everything’s up to date, removing all the deactivated plugins and themes, et cetera and doing what we explained previously to make sure that everything is as up to date as possible.
Tim Lewis: I think that wraps up the fundamentals of security, anyway. How can people find out about Chris Varnom and WP Saracen, your company?
Chris Varnom: WP Saracen has a website which is WPsaracen.com. On there is access to, there’s a bit of a bio of me, Chris Varnom. Tells you a little bit more about me. WP Saracen the site, tells you more about us, what we do. Also you can find out about all the different services that we provide to help you get out of the mire, if you ever become stuck. We also offer WordPress maintenance solutions, as well.
We provide a one-stop shop where we take care of everything for you. The security, your WordPress maintenance, everything so you don’t have to worry about the laborious task of updating this, updating that, are my backups being done? Those types of things. You can just focus on what you do best, and that’s writing your books.
Tim Lewis: It was great to have you on the show today, Chris.
Chris Varnom: Thanks. Been great.