It's a jungle out there: Don't leave your WordPress sites in the wild

null

It’s no wonder security remains such a tough challenge for marketers or developers building a website today—the security landscape is simply a difficult one to navigate. Threats continue to evolve, attacks are more widespread than ever, and cyber criminals are becoming increasingly sophisticated.  

According to a report from cybersecurity firm Imperva, 2018 saw a 23 percent increase in web application vulnerabilities, or attempted cyber-attacks against websites, from the year before. Over a two-year period, that number was up 162 percent. Security should be everyone’s concern as it’s not something that will take care of itself.  

In fact, security is the number one concern among people who elect not to use WordPress, even though it’s the most widely used Content Management System (CMS) in the world. Because WordPress is so popular—it accounts for more than 33 percent of the web and powers a third of the world’s top 100,000 websites—it’s, not surprisingly, also the most targeted CMS when it comes to web application vulnerabilities, including SQL injections, cross-site scripting, HTTP floods and a slew of other attacks.      

There is of course a difference between targeted attacks and successful ones. While there are a high number of attempts against WordPress sites in general, attackers tend to succeed when the administration or management of those sites is being neglected—something we refer to as “WordPress in the wild.” This is a scenario where the CMS has effectively been left to run on its own; updates haven’t been made to the latest version of WordPress, or third-party plugins, which sometimes contain vulnerabilities, have been installed. It’s often a combination of both.  

Managed WordPress hosting

When WordPress is carefully managed and kept up-to-date, those associated security issues drop off dramatically. At WP Engine, for example, we manage our customers’ WordPress backend so they don’t have to worry about the latest updates. We also keep a running tab of disallowed plugins that are not allowed on our customers’ sites, which in many cases is due to vulnerabilities associated with this type of third-party software.  

These efforts alone keep many of our customers safe from the vast majority of unsophisticated exploits that may be levelled against their WordPress sites. For protection against more sophisticated bad actors, WP Engine also offers customers integrations with enterprise-grade security solutions, such as our recently-launched Global Edge Security package, created together with leading Internet performance and security company Cloudflare specifically to secure our customers’ WordPress sites.   

Global Edge Security combines the intelligence and expertise accumulated from serving our 90,000 global customers with Cloudflare’s web application firewall (WAF), distributed denial of service (DDoS) protection, content delivery network (CDN) and its global edge network, which spans across more than 70 countries. Together, these services help us deliver secure, scalable WordPress sites to our customers and give them peace of mind that they’re being protected against some of today’s most common cyber-attacks, as well as those directed against them from more sophisticated actors.  

Today’s security landscape requires an active, vigilant approach if you are going to keep your website safe and secure. Going it alone is an increasingly complex, expensive and risky effort, which is why a growing number of marketers and developers are leaning on WordPress security experts like WP Engine to make sure their sites, and their security are in good hands.  

Fabio Torlini, Managing Director EMEA at WP Engine