Ahh, WordPress. It’s a love hate relationship

Guest Post from our partner, EndLayer.


WordPress is all the fad for websites these days – and really for good reason. It’s free, first of all. It’s easy, there’s a ton of plugins to extend it, and there’s an insanely huge user base for it. We started on WordPress ourselves, even – several years ago. It’s a one-size-fits-most solution that can get you running quickly. Seems awesome, doesn’t it? It is, but it’s not. WordPress’s strengths are unfortunately also its weaknesses.

A person with little to no web experience can install and get WordPress up and running in no time at all. After a while, that person can install plugins to extend functionality, start custom designing some forms, and even sell online – all without leaving WordPress’s admin panel and touching a single line of code. That’s great – for a minute. Fast forward 3 months – that same website that was running awesome, looking great and smelling like a million bucks is now a recipe for disaster.

The problem is that WordPress is open source. It’s great to open up code to the community, but you’re also opening up code to the bad guys. WordPress exploits number in the thousands. It seems a new one pops up daily – one that steals all your customer’s information from your WooCommerce plugin for example. By not staying up to date (and even often that’s not even enough) with WordPress and it’s slew of plugins, your shiny new WordPress site can be a breeding ground for viruses, malware, spam, you name it. We’re not just picking on you, single dude that made a website, we’re picking on you too, Mr. Web Developer Extraordinaire.

We see hacked / exploited WordPress websites all the time. It’s a shame the platform that is so rich in features and usability suffers from being too popular amongst the bad crowds. Don’t give up hope, though!

Here are five  things you can do to keep your WordPress monster happy and healthy:

  1. Update, update, update! As soon as a new WordPress version is released, hackers are going to work to get something on it. By staying up to date, you keep your chances of getting hacked lower because the new versions typically patch the old vulnerabilities.
  2. Use the recommended permissions. Like any web application, it should be locked down as much as possible. This means setting the correct file and folder permissions. For example, wp-config.php should usually be set to 0644 to prevent a random user from seeing your database passwords. The same applies for the wp-content/ directory – set it as low as possible so that a random user can’t upload a malicious PHP file hidden as a JPG. Check out: https://codex.wordpress.org/Changing_File_Permissions for recommended permissions.
  3. Don’t create useless users. Any elevated user (even a writer or editor) can open up the potential for malicious activity – even if it’s not their doing. If their computer is hacked and they don’t know it, an attacker can be stealing your buddy’s username and password right from under him.
  4. Change passwords often and make sure to follow the strength guide. Weak passwords are a very common cause of hacks, and by changing them frequently you minimize the chance of a password leaking out.
  5. Lastly, use security plugins. Plugins like All in One WordPress Security work great and give your site a great level of defense – for free. There are plenty others out there – try them out and see what works best for you. One thing to mention is that we don’t recommend installing more than one at a time – as they can and will interact with each other and cause some problems.

All in all – we don’t hate WordPress. We love the way it helps millions of people get a great website online – after all, the more customers with websites to host the more business we have ourselves as a hosting company. The purpose of this article is to point out the common issues we see with WordPress – hoping that we begin to see less of them. A hacked website is a nightmare for both you and us – we hate to see it happen – and hope this article helps just that!


About EndLayer:

Founded in 2013, EndLayer.com specializes in high performance website hosting. Backed by world-class IT professionals with 40 years of combined industry experience, EndLayer offers some of the fastest shared performance hosting solutions in the world. EndLayer’s focus is not to try and undercut a competitor’s price to win your business. EndLayer is different. By utilizing their in-depth knowledge of websites, e-mail, and e-commerce requirements, EndLayer is able to customize and optimize the best hosting environment for your business. From small to large – local businesses to Fortune 500 – EndLayer has the experience to make IT happen.