WordPress hosting is complex. Every WordPress site depends on a stack of software and hardware created by companies and communities with standards and values that are difficult to understand from the outside. This gives rise to misunderstandings and myths, especially where security is concerned.
In this article, we look at some of the most pernicious WordPress hosting myths, with a particular focus on myths that lead to security mistakes.
Small Sites Don’t Get Hacked
The media often reports on significant security breaches where the attacker’s goal seems obvious. The victims store gigabytes of personal data that can be used for identity theft. Many store credit card numbers, which are stolen for obvious reasons. Some attackers are engaged in industrial espionage.
None of that applies to smaller websites with a handful of user accounts: not much useful personal data there. They rarely store credit card numbers, wisely opting to use a payment processor. So why would a criminal invest the effort to hack a small site?
First, it isn’t much of an effort. Most hacking is automated: bots trawl the web for vulnerable sites, compromising them with pre-programmed attacks. The attacker sets his bots loose and waits for the IP addresses to come rolling in.
Second, even a small site is valuable. It has an audience, who can be infected with malware. It can be dragooned into the attacker’s botnet and used to compromise other sites or to take part in DDoS attacks. It can be used for SEO spam. Every website represents a package of bandwidth, storage, and processing power — all of which are useful to criminals.
If It Works, Why Upgrade?
People who don’t spend their lives staring at code on a screen are quite satisfied when technology does what it’s supposed to. They may feel that updates, which bring changes, are an unwelcome disruption. WordPress isn’t hard to learn, but it’s hard enough that the thought of change worries some of its millions of users.
People who use WordPress every day become accustomed to it. They prefer to avoid change for the sake of change, and so they are often reluctant to update. After all, why alter what works.
The developer’s answer to this is two-fold. Software never stands still and has to change to keep up with changes in the world. And, more importantly, updates fix bugs that cause security vulnerabilities. A site that has not been updated for a few months is almost certainly vulnerable. In the previous section, we talked about botnets and automated hacking. It is unpatched content management systems that those bots seek. Eventually, they will find an unpatched site, and it will be hacked.
I’d Know If There Was A Problem
What does a hacked website look like? For the most part, it looks like a website that hasn’t been hacked — especially to its owner. As we have discussed, bad actors breach a website because they want its data, resources, visitors, or SEO potential. If the site owner finds out they have been hacked, the bad actor loses access to those resources. So, they’re sneaky. They try to hide.
If you’re looking closely, you might notice spikes in bandwidth or memory use. If you regularly scan for malware, you might find their malicious code. But if you use the site normally, you’re unlikely to see anything is amiss.
Take SEO spam as an example. When a site is compromised, links to sites the attacker wants to promote are injected into its content. Those links are visible to Google, and they might be visible to ordinary visitors, but they are hidden from people logged in to the site.
That’s why it’s a good idea to regularly scan your site with a tool like Sucuri or Wordfence. They spot malicious code and let you know about it. If you don’t scan, then you are most likely to find out about an attack when Google starts warning your audience that your site is unsafe.
SSL Keeps Your Site Secure
SSL certificates have two jobs. They encrypt data traveling over the network from a server to a browser and back again. And they are used by browsers to verify that they are connected to the host they expect. That’s all SSL certificates do. They are an essential security and privacy tool, but they don’t protect data stored on the site’s server. Nor do they protect a site from attackers seeking to exploit vulnerabilities.
Every WordPress Plugin Is Free
This is a pernicious myth that causes people to download malware-infected plugins. Most WordPress plugins are open sourced under the GPL license. When the developer distributes the plugin, they also distribute the source code. They are required to do so by the license.
Often, open source software is free. It doesn’t cost any money to use. WordPress itself is open source and free. But some open source software is not free to use. Premium WordPress plugins are in this category: they are open source, but the developer expects users to pay a license fee to use the plugin.
When users pay the fee, they get the source code, as required. But open source doesn’t mean the developer has to give everyone the source code — just the people to whom the plugin is distributed, the people who have paid. This is commonly misunderstood. It is perfectly legal to take the code of a premium theme and give it away for free once you have paid for it, but this is discouraged in the WordPress community, for obvious reasons.
You might be wondering what this has to do with security. Bad actors know that people want to use premium plugins without paying for them. So, they take the plugin, add a sprinkling of malware, and give it away for free. These “nulled” or “pirate” plugins contain backdoors and other malicious code. When an unsuspecting WordPress user installs the nulled plugin, they give control of their site to an attacker. Installing pirate plugins on your site is a bad idea.
We’ve covered five common WordPress hosting myths in this post, and there are many more that we might have included. If you’d like to see a follow up post that dives into more WordPress hosting myths, let us know in the comments.