Computer hacker stealing data from a laptop concept for network security, identity theft and compute

WordPress and Joomla are both very popular content management systems (CMS). They’re used by thousands of our clients and on millions of websites worldwide.

Since they are both so popular they are also very popular targets for hackers. If you can find an exploit that’s likely to work against millions of sites then it’s a lot more “useful” than one that will only work against a small number. That doesn’t mean that either bit of software is “less secure” than anything else, just that they are so popular that they are often targeted.

Any system or software that is connected to the internet will never be 100% secure. If someone wants to gain access and has the resources they will be able to. That’s a reality.

What’s also a reality is that most people’s websites and systems aren’t that “interesting” to hackers, so you really need to worry more about “common” attacks than dealing with a targeted vendetta.

To use a bad analogy, if you leave your front door unlocked then you’re just asking to be burgled. In the case of a CMS powered website (which is most these days) then not keeping your site up to date is in many respects the online equivalent of leaving the door unlocked, or the car keys in the ignition.

What do you need to keep up to date?

  • the CMS itself, be that WordPress, Joomla or whatever you are using
  • any plugins you’re using
  • any themes you’re using

We’ve shared some tips on WordPress security in the past. James has suggested several plugins that can help you keep your site both up to date and secure.

Another thing to think about is “trimming the fat”.

With WordPress and other CMS it’s often tempting and a bit too easy to install new plugins and themes. While that’s not necessarily a bad thing, any plugin or theme is a potential attack vector, so if you aren’t going to use them then you should remove them. Simply disabling a plugin or theme is not enough, you need to remove it completely.

Our technical team wrote earlier this week about one of the current attacks targeting WordPress powered sites, but it’s not the only one. And it won’t be the last one.

  • Don’t use “admin” – when you install WordPress you need to create an admin user. That user does not have to be called “admin”.
  • Use a complex password. Not sure how to create one? There are lots of password generators available online. Personally I like using LastPass to generate and store logins securely.
  • Keep up to date (yes, I’ve said that already!)

If you take some relatively simple steps to keep your site up to date and avoid some common mistakes you should be able to avoid serious issues.