33% of the web is powered by WordPress. There’s a lot of WordPress sites out there! And because of that, WordPress is a huge target for hackers, and security should be a priority for everyone, even if you’re not a developer.
In this episode, I chat with Jason Cohen, CTO of WP Engine, about what WordPress security for beginners.
In my conversation with Jason you will learn:
- The best plugins for keeping your WordPress sites secure.
- How to know if your WordPress site is already hacked
- What you can do if you think your WordPress site is hacked
- Pros and cons of the various types of WordPress hosting that are out there. Everything from WordPress.com, to shared hosting, to manage WordPress hosting solutions.
- Jason’s thoughts on WordPress Jetpack, Automatic (the company behind WordPress)’s default WordPress security plug-in.
If I have a WordPress site, should I be concerned about it being hacked, and if so, why?
Jason Cohen: Yes. A lot of times, people say “I won’t be hacked because my site’s not important. No one would want to target my site. No one would want to do anything. If they defamed the front page, no one cares really, so I’m not a target.” And that’s a common thought, and it’s also wrong.
When we see people bringing their WordPress sites to us, for example, we find that 12% of them are already hacked. And it’s not true that 12% of them are super high-value targets that a hacker would target on purpose … that’s not what’s going on.
Jason Cohen: So here’s what is going on: hackers want to do something nefarious, and it almost never has anything to do with your site. Because you’re right, they don’t care about your site unless you’re a very high profile type of site, which is a whole other situation.
What they want to do is something else that’s nefarious. Maybe they have fraud ad clicks, maybe they want to send spam emails, maybe attack some other site that is important to them, and so they wish to take over your server and use it to go attack another site. Maybe they want to hide their identity.
Jason Cohen: So what I mean by that last thing is a hacker who wants to go hit again some other actual target that’s not you, but they need to hide who they are. And one way to do that is to take over some random server on the internet, like one that’s hosting your WordPress site, and use that server to do it. So then when the investigation happens, they trace it back to this random server that’s doing nothing interesting, rather than tracing it back to the hacker.
That’s another sort of layer of indirection that makes it harder for investigators to find out who it is. So just list of three or four things in which it’s useful to the hacker to control your site or your server that has nothing to do with your website.
Jason Cohen: So the hackers are actually doing is looking for things that they can take over so that they can do the thing that they actually want to do. You could say, “I don’t care, maybe I’ll be a pawn in someone else’s weird game, but whatever.” Or you could say, “Yeah, that’s not good, I want to be part of the solution.”
Ultimately, you can actually be held responsible for things, and you could say, “Well, I’ll defend myself,” and of course you will, you’ll probably be fine. It’ll probably be found that everything is fine, but it’s a lot … This is nothing that you want actually to deal with. This is part of why it’s nice to delegate all the security stuff to someone else so that you can really say, “Look, that’s not even my server, that’s some other company. That’s not mine.”
Jason Cohen: “Ask them.” Because we do this every day. Every day our security team is working on either something that got hacked, and people are using it, or there’s some active investigation that somehow we’re participating in. It’s constant. Now, that’s okay, because that’s our business, so we can handle that, and our customers don’t see that, which is excellent. That’s a value of doing that. But I think more to the point is why is security important and why are you still a target, which you are.
What can you do if your WordPress site has been hacked?
Jason Cohen: So then the question would be like, “Well, what do I do? The hosting company, fine, what else do I do?” There’s a lot of basic tips that you’ve undoubtedly heard before, to have a strong password and so forth, and they’re all right. That’s right, and it’s incredible how much people still don’t do the basic tips.
Chris: Yeah, what, let’s focus on that, what are some of the basic tips for a WordPress site that you want to keep more secure, or make it more secure?
Jason Cohen: One is to have a strong password on all the accounts, and you can enforce that. There are plugins which enforce that everyone has a strong password so that you, the person building this site, don’t have to wonder. Because of course you can’t see other peoples passwords, so how do you know? So we have to do is enforce it at the time the password is created, since you can’t read passwords after the fact. Of course, if it could, that would also be insecure.
Chris: Is that something you can do, just natively, with WordPress? Or is that a plugin?
Jason Cohen: No. There’s a plugin that will do that.
Jason Cohen: Another thing you can do is use a plugin called Limit Logins. The idea is that if you login incorrectly five or ten times, I think it’s configurable, then you shut off that IP address, or disable logins to that account for a while, like four hours.
Chris: I see.
Jason Cohen: So what that does is … A normal human would almost never run into that, and if they do, it’s not a permanent ban anyway, it’s just an inconvenience. So an average human would never run into that issue, but someone who’s trying to break into an account by trying passwords would run into that, and therefore would not be able to try that many. And if you can only try five or ten per four hours, that’s just not enough for someone to guess the right password.
Jason Cohen: But there’s more. So, there’s actually something even better than strong passwords, which is two-factor authentication. Sometimes it’s abbreviated “2FA”. And this is the thing where you log in, and it says “Yeah, that’s fine, I accept your password, but also, you need to type this six-digit code.” Which you are either getting a text to your phone, or you’re using some app on your phone that’s been configured, and you can type the number that that app says.
So this is what almost everyone is doing. If you get something on Google, an account on Google, for example, they will bother forever to go do this. Most things on the internet, most modern things, I should say, on the internet, do this. And so it’s called two-factor authentication with the idea being a factor, means something that identifies you as you. So your password is something that identifies you as you.
Jason Cohen: And so the more factors you have, the more secure is the website. Because if someone stole one of the factors, like your password, they still wouldn’t have the second factor, like your phone. And therefore the ability to receive your SMS messages, and thus receive this code that was generated on the spot.
Jason Cohen: So it’s more secure. In fact, if you have two-factor, the strength of the password is not that important. Because they can’t even try once, even if they have the password completely. However strong or weak it is, they still can’t get in because they don’t have access to your phone.
Jason Cohen: So two-factor is really the ultimate way … There are of course more things besides that, but the thing with security is there’s always something else you could do to make it more secure, but also it has negative consequences, usually in the form of being annoying or even locking people out.
In other words, the more defenses you have, the harder for the bad guys to get in, but also the more annoying and harder it is for the good guys to get in. Which, of course, is not a good thing. So you’re often trying to strike this balance between making it hard for the bad guys, and not making it so awful for the good guys.
Chris: So what I’m hearing is that two-factor authentication is very important. That’s maybe the most important. Also having really good passwords, and there are a few plugins that you mentioned, which I’ll put in the show notes on our website at OneMonth.com where people can follow up because I think that would probably be really helpful.
Jason Cohen: For two-factor, a great one is the Google Authenticator.
Jason Cohen: The reason is … it’s worked well for years, so it’s a good thing to rely on. It does the two-factor stuff, it also has backup codes which you need in case you lose your phone, you still need a way in, so it provides that.
And the other nice thing is, there’s the Google Authenticator app, which is available for all mobile devices, and it’s free. And you can use that, you can configure that once, of course, there are instructions on-screen how to do that. It does the thing that I mentioned where when it does challenge you to enter in a six-digit code, you’d pull up the app, and there’s the code.
Jason Cohen: That means there are no text messages, that means you don’t pay for any charges when you get text messages. Some people don’t like that or don’t want that. So it makes a system that is entirely free and is actually even more secure than text messages because of course, text messages can be hacked, too.
Again, that’s probably now a level of worry that’s not necessary for most people, but it is true, and there have been attacks where people have hacked the SMS messages. It does so happen that this is a free method and happens to be even more secure than using text messages, and this authenticator app can be used with any other two-factor system, not just Google or this, but any.
Jason Cohen: So it’s sort of this, “Hey if you get used to this two-factor thing, this can be your one app that has all the stuff.” So that’s actually pretty convenient, compared to … you know, relative to the amount of safety that you get, which is actually quite high. And all free.
Chris: That’s amazing. And we do, in my courses, I always talk about using two-factor but I have not mentioned it for WordPress. So I think that’s such a great addition. And I see that there’s a plugin, which I’ll include the link to, that you can just, I guess, it looks like you can just automatically add it to your WordPress arsenal and then you’re good to go.
Jason Cohen: Yeah.
WordPress.com vs. WordPress.org, what’s the difference?
Hey Jason, I want to zoom out a little bit because I’m imagining some people listening right now have a WordPress site, but it’s possible that they have it with WordPress.com. And for beginners, sometimes it’s confusing because WordPress.com is … more or less, I would describe it as this way that you can instantly just start a WordPress site.
It’s hosted by Automatic, the company who started WordPress, but there is this whole other world of WordPress, WordPress.org, where you actually kind of have ownership of the code, and for the most part, what we’re talking about right now, is all about that second world. You have ownership over the code, and you are in charge, in a way, and when you’re choosing hosting you’re in some ways delegating who is going to be responsible for the security aspect of your site.
If my site is hosted at WordPress.com can I trust that it is secure?
Jason Cohen: WordPress.com is great, and it is secure, and it’s fast. It’s good stuff. So I think if WordPress.com satisfies all the things you need from a host, that’s a great host. So full stop.
The reason to not use it is not that it’s not a great product, because it is a great product, the reason … And again a lot of people don’t need to leave it, just to be clear. The reasons people do leave it is that they run into something that they want to do, which that hosting platform doesn’t support. And then you either have to decide, “Well I guess I won’t do that,” or “I guess I’ll have to,” as you say, “move to the WordPress.org version,” in which case you own the code and can do whatever you want, including that thing you wanted to do.
Jason Cohen: So, in other words, WordPress.com does not let you change the code. It just enables you to configure whatever is already supported. So to the instant, you want to add a feature that’s not one of the … that requires even just installing a plugin, not even necessarily writing your own code but just installing a plugin that’s not there yet.
At that instant, you can’t do that. So it has these great attributes of being secure and fast, but that is because the code is fixed and you can configure it but not change the code or plugins.
Chris: It’s very limiting.
Jason Cohen: So it’s limiting. And again, some sites don’t mind having a limit, in which case awesome, right? So at that moment, you go “Oh, shoot, if I want to be able to make sites that behave differently from the sort of very generic, simple sites, then I’m going to have to get into this WordPress.org world.”
And again, there are a million options, and since I’m at a company that’s one of them I don’t want to just do a sales pitch for us, that’s obviously the case that I think we’re great. Hurray. But of course, there are different people that will host a WordPress.org stuff for you.
Jason Cohen: So I think that … I think, you know, you could ask, “Is it easy, did they help you migrate the site off of WordPress.com,” because you have all this data, presumably, and maybe some themes, configurations, etc. to help you get it off of there so you can get started on your own. Do you feel that the tech support will be solicitous when you have questions?
Jason Cohen: Some of that is how much you pay, and some isn’t. So for example, you can be sure that if you pay just five dollars a month for a site, they can’t afford to have support people talking to you all the time about everything. Now on the other hand, if you pay a whole lot, maybe they do, or perhaps they just charge a lot, right? It doesn’t automatically follow that the service is great.
But it does follow that if you’re paying almost nothing like a business, they can’t afford to give you huge amounts of server resources to make it fast, they couldn’t afford to have people on the phone with you all the time about stuff. That just wouldn’t be a business, so they can’t be doing that. Whatever they’re doing, it’s not that, right? So it’s somewhat like in life anywhere, sometimes you get what you pay for, but certainly, you don’t get what you don’t pay for. That’s definitely true.
Jason Cohen: So that’s stuff to consider. And again, it may or may not matter. You may say, “Look, it’s a super simple site, I don’t need to call support all the time, I don’t care that much about some of these things, it doesn’t have to be the fastest site in the world, I just need to add this one plugin. So actually, I don’t need all that stuff,” and that’s fine, too.
Again, all these different companies … there are a few exceptions, but mainly they’re all reasonable choices. In other words, trade-offs, just like the security trade-offs. They’re trade-offs, and what do you need, what do you want, what can the client afford, what does the client care about, and that narrows down which types of companies may be right for that site. Including WordPress.com, where if there’s no customization needed, it’s okay.
How do you know if your website, if your WordPress website, has been hacked?
Jason Cohen: There are a few plugins that will scan for things, for example; if you search for WordPress plugin depository something like “security scanner,” you’ll notice there’s a few that have a lot of downloads, which generally means that’s probably a good one. Or it’s probably one that does something useful.
So for example, some of these plugins will look once a day at all the standard system files, looking for any files that are not standard anymore. In other words, WordPress is about two hundred and fifty PHP files, and a certain version of WordPress, like version “5.3” or something like this, will have a specific set of 250 files of certain content in each one, right? The specific code in each one.
Jason Cohen: So if you know file 103 doesn’t have the right content, that might mean it’s hacked. That might mean there’s alien code in there. And that’s pretty easy to detect, and so for these tools to fix. Of course, hackers don’t always hack that part of the code, but it’s a good place to start. Another place they often hack is WP-Config, WP-Config-PHP, that’s the file that’s in the root which controls the main configuration of WordPress like passwords to the database and stuff like that. That one’s often hacked too, so that’s a place always to keep an eye out.
It’ll look for scary, alien code everywhere, and it has to be a little more advanced to figure out what looks scary and foreign versus what’s normal, even in code that’s not part of the standard WordPress system. Like a plugin that you download from the internet, or even the code you wrote yourself. It scans that as well, so it has to be a little smarter to figure out what looks alien in there.
Jason Cohen: So there are systems like that which, as you can see, are more sophisticated. Of course, all that is work, so it gets back once again to this question of how much effort do you want to put into it? These tools, like the scanners, cost money. So at that point you might say, “Look, if I’m going to spend ‘X’ dollars a month on a server, ‘Y’ dollars a month on the security scanner, ‘Z’ dollars a month on a CDN or caching,” which we didn’t talk about, which is totally fine because security is a perfectly deep thing to mind.
But another one is how do we make things fast, as opposed to how do we make things secure. And there’s a whole other series of things, some of which cost money, so at some point, you might add up all the money and say, “Oh, I should use one of those manage WordPress hosts,” like us or like one of our competitors. Because look, now that thirty-forty dollars a month or whatever it is, you ask yourself “Well if they do all that other stuff for me, which I’d have to buy anyway, and also manage, maybe it’s not such a bad deal after all.”
Jason Cohen: “Because they do a lot of stuff. Maybe I should just let them freaking do it because they’re experts.” And you know, why can we make it for a lower price. Well because, for example, we use security, except we’re able to buy it in massive bulk, so it doesn’t cost the same per site to us then it would, of course, cost you. So, of course, we can bundle that in and make it less expensive in total.
Jason Cohen: Right. So, no kidding right, where we can have a whole security team. How can we do that? Oh because it’s amortized over our one-hundred thousand customers, so that’s why we can afford to do that, whereas you couldn’t have a security team or even one security person, you know if you only ran a few sites. It’s not cost effective. So again, that’s somewhat true of our competitors as well. So you start getting a feel for like, “Oh, okay, that’s a lot of stuff, those quote-on-quote ‘manage WordPress’ hosts are doing, that sounds good.”
Jason Cohen: Although it can be fun to work it out yourself as well. It just depends on whether you find that to be fun.
Jason Cohen: For some people, it sounds like a nightmare. They’re like, “No, please take my clients money so that I don’t have to do this,” and other people say, they’re kind of DIY-ers or tinkerers, and they say, “That sounds really interesting, and I want to figure that stuff out. And I want to have a server with twenty clients on it and work out how to use all these tools.” And that’s cool! And that’s cool, too.
Chris: That’s awesome.
What is Jetpack? And would you recommend Jetpack?
Jason Cohen: Yeah, I mean one thing, one takeaway, is that there’s no such thing as, “I’ll install this plugin, and then I’m secure.” Right? So again it gets back to tolerance, etc. So you could, for example, decide “I’m going to invest in,”… you could decide, “My philosophy is, I’m going to have a few barriers in place, but ultimately bad guys are probably going to get in.’’
So I’ll put up a couple of barriers, but what I really need is monitoring, because they’ll probably get in no matter what I do, and so at some point, and so I need monitoring. So you could decide, “I’m going to invest less in defense and more in monitoring.”
Jason Cohen: Or you could say, “Look, this is important to me, so of course, I’m not going to install one plugin and then not think about security anymore.” So, for example, Jetpack doesn’t do two-factor passwords, which is one of the easiest and most effective things you could do, and they don’t do it, for example.
Chris: That’s a great point.
Jason Cohen: So you can go, “Okay, I’m going to find some information on the web about, like, top ten ways that people get into sites, or even get into WordPress sites. And whatever is on that list, I’m going to defend myself against those then things.’’
Again, I can’t defend against the whole range of everything in the world, but I certainly would feel like I’m just not … I can’t be proud of my work if I don’t seek out the top five or ten things and stop those things, where at least if not stop then seriously mitigate those things. That’s just not caring about security, and I’m going to care.
Jason Cohen: So that would be a way to go. So you can take different philosophies on that. Jetpack is sort of a mixed bag. It’s true that there’s some security scanning, or sometimes they know about vulnerable plugin versions. There are other plugins like Wordfence that also do that, that generally have better databases for those things.
Another thing Jetpack does that’s good is you can turn on auto-updating of plugins. And that’s useful because often when it’s discovered that there’s a security vulnerability, the plugin will have an update pretty quickly, sometimes before it’s announced. And so if you have auto-updating of plugins on, which again is a Jetpack feature, not a WordPress core feature, then you’ll get that patch while you sleep so that your site was vulnerable for the minimum amount of time. So that’s awesome. So that’s a great thing that the Jetpack plugin will do. It really is substantial for security.
Jason Cohen: About once or twice a week, it’s this frequent, a plugin is discovered with a severe vulnerability where there’s thousands, if not millions of WordPress sites affected on the web generally. And generally hundreds, if not thousands, sometimes hundreds of thousands of websites are affected, depending on the scope of the plugin.
So once or twice a week we are pushing out new, some kind of patch on some sort of compromised plugin, to our farm. That doesn’t mean each customer has a vulnerable plugin once or twice a week. It means there is a plugin. So if you’re unlucky and you use that one, then you’ll want to have auto-updated it, or again be at a hosting company that’s doing that for you.
Jason Cohen: So again, Jetpack can help with that, which is great. So the other thing though is that Jetpack has had quite a few vulnerabilities itself. Many of its releases in the last two years are because of a security vulnerability.
So you could say, “Oh well Jetpack is making me less secure,” but I would point out the fact that Jetpack figures this out and patches it means that they are taking security seriously and that makes it a good thing. So you can see how this kind of goes back and forth.
Chris: It’s complicated.
Jason Cohen: It’s difficult, it’s just difficult to navigate this. So I think overall Jetpack probably makes you more secure, especially because of the auto plugin update, that’s probably worth its weight right there. So I think overall that is good. But you cannot say, “Oh, I installed Jetpack, so I’m good to go.” That would not be right either.
Chris: Got it.
Chris: All right, Jason, thank you so much for joining us on the show today. I really feel like I learned a ton about security and WordPress hosting. I really appreciate it.
Jason Cohen: Great, thanks for having me.
I want to thank Jason for coming on the show. If you’d like to learn more about Jason and his company WP Engine, you can go to WPEngine.com. It’s a rather big company out of Austin, Texas, over 650 people, and they are there to help your company really have an excellent experience with WordPress hosting. So check that out and learn more.
If you’re new to WordPress and you want to kind of just catch up and understand, well, what’s the difference between WordPress.com and org and all these things – I have some free videos on our blog, as well as some blog posts and descriptions and all that, that I’ll link to down below.
If you just want more of a primer on you know, how you can get a little smarter or more educated about understanding WordPress and the whole world of launching your website off WordPress. So I’ll put that link down below. That’s also at our blog at OneMonth.com, where you’ll also find the transcript and all the notes and links from today’s chat. So that’s all at OneMonth.com.
Want more episodes of the Learn to Code Podcast?
And what else … subscribing and rating it and just all of that helps me know that you enjoyed this podcast and tells me to keep making more. So it’s helpful. If you do that, I would say, well, you’re pretty awesome. So yeah, you can reach out to me, I’m on Twitter, I’m @castig, and obviously, we’re at OneMonth.com. If you have any questions, let us know.