“Help! My website’s been hacked!” I used to get an email with that subject line or something like it a few times a year. Sometimes these were sites we’d built (ouch!), usually, they weren’t (thank the gods). WordPress, the platform we do most of our web development work in, is far and away the most popular website content management system (CMS) out there, and because of that, it’s a frequent target of hackers who look for holes in the code and then launch attacks to try to exploit those in all sorts of obnoxious ways (think erectile dysfunction ads showing up on your website that targets mostly older women… UGGGHHHHH that was a fun one!).
There are a whole slew of plugins and assorted security measures that we can use to help prevent those, of course, and we’ve always done that, but hackers can still find ways to exploit a vulnerable site. That said, I don’t get those emails nearly as much these days, and that’s for two pretty simple reasons:
- We started insisting that our clients use a quality web host
- We started offering a daily WordPress plugin update service
My understanding of the medieval era (broadly) and its architecture (specifically) is approximately nil and is informed 100% by The Movies, but bear with me for a metaphor moment. Castles have the first line of defense at the outer wall and/or a moat. Then there’s also an inner wall that’s something like a failsafe in case the outer wall/moat is breached. If your website is a castle, then a really great web host is that outer wall and/or moat, and having your code updated daily is that second line of defense – the inner wall. Those two things combined will help you avoid the vast majority of attacks on your site.
So, without questioning my assumptions on castles, let’s get into the details!
Why You Should Avoid Cheap Hosts Like the Plague
You know the truism, “If it’s too good to be true, it probably is”? Well, that goes doubly for WordPress Hosting. You can easily get your WordPress site hosted at any number of places for less than five bucks a month. Heck – I used to host my personal/hobby sites on cheap hosts because I could fix them myself if they got hacked and lost nothing but time if they were. That’s not the case for most of our clients. So when we started New Why, we made sure we recommended a good host to our clients. Now, seven years in, we all but insist on it. When we started up New Why, we opted to go with WPEngine (disclosure: that is an affiliate link, so they’ll know we sent you!), and have never looked back. In fact, we love them so much that we now run all of our new client sites off of servers they provision for us, and recommend them on the regular to other development teams (on the off chance they’re not already using them).
There are dozens of articles out there about why cheap web hosts are such a bad idea – especially for WordPress sites – so I won’t go into too much depth here, but here are some of the big reasons, with the security/hacking related reasons first.
Five Reasons To Upgrade To Managed Website Hosting
Most cheap hosts have fairly basic and untargeted security practices, whereas quality hosts that specialize in WordPress hosting have configured their servers specifically to prevent the most common and current kinds of WordPress hack attacks. To continue the castle metaphor (I’m sorry), maybe when you built your site, the primary threat was foot soldiers, but over time, it might become flying monkeys, at which point your moat won’t do you any good, right? So, great, quality WordPress-specific hosts like WPEngine are always surveying the WordPress hacking landscape and implementing new defenses like, metaphorically speaking, flying monkey defense nets in addition to the traditional moat when needed. Huzzah!
Poor Security Practices
- No Automated Daily Backups With One-Click Restore Options
Not only do these allow you to restore your site to how it was yesterday if all else fails, but these are mega time savers for developers when we need to go in and poke around on your site, too, if you can’t fix it on your own. If your host doesn’t provide these, you’re more likely to lose content, and you’ll probably end up paying for more of a development team’s time to manually bac up the sites when the time comes to fix stuff. You can imagine that adds up and is often more expensive than popping for a host that just takes care of this stuff behind the scenes.
I can’t tell you how many rage screams I’ve silenced while working with cheap web hosts’ “support” techs – and I understand tech speak. I can’t imagine how infuriating this low-quality service must be for folks who are also confused by the subject matter. I get that if you’re going to charge $2.99/month for your service, you’re probably not going to be paying your staff a high wage, so you get what you get, but jeeeeeeez does this end up sucking for the customer who needs help running a malware scan or whatever. You deserve better. We *all* deserve better.
Oh. My. Gawd. Their Tech Support Is TERRIBLE!
- Limited Resources and No Customization
To commodify hosting, you basically need to sell everyone the same thing. These low-resource, cookie-cutter servers may work fine for some folks with some lower traffic sites, but as you build your organization and rely on your website for more and more, you’re likely to outgrow these basic low-rent hosts, either because you require more storage, need to accommodate traffic spikes that fall outside your site’s normal usage or any number of things.
- They’re Just Not That Into You
The way cheap companies have turned hosting into a numbers game, they haven’t commodified web hosting so much as they’ve commodified website owners. Y’all are a dime a dozen, and losing you is sort of irrelevant since they know that next week there will be a handful more folks looking to launch their first website and who don’t know any better. They’re not nearly as interested in your success online as they are in just getting more and more folks like you (before you read this post, of course). It sucks, but it’s true.
Sounds terrible, right? That’s because it is. It really, really is.
Your Inner Wall: Keeping Plugins Up To Date
The second line of defense involves keeping your WordPress core and plugin code up to date. The folks that write the best WordPress plugins are also monitoring the WP hacking threatscape on the regular, and any time they identify a weakness in their code that can be exploited by hackers, they release a new plugin version to patch that vulnerability. Hackers are always looking for those holes and then for the sites that have outdated versions of the plugins where that hole lives. We recently had a client that, ironically, had an outdated version of a WordPress security plugin that was, itself, the source of a hack on their site. Yikes!
If you’ve managed a WordPress website, you know that there’s often (always) an alert on your site admin panel letting you know that you have outdated plugins, etc., and that if you have the fortitude, you can go in and intrepidly click that “Update All” button. And if you don’t have a team like ours managing your site updates, you need to be doing that daily – or at least several times a week. This site is a pretty solid guide on how to update plugins manually. The big risk here is that if you’re doing manual updates, you’ll either not do them often enough or when you do them all at once (like most of us do even though WP tells you to update one at a time… who has time for that?!), that something will break and you’ll have no idea what. And when that happens?
Well, if you have a decent web host, you should be able to login there and restore your site to a recent (hopefully just a few hours old) backup. If not, again, the site linked above also has some good info on how to undo a WordPress plugin update. you’re gonna need a hand. We’re happy to help, but we don’t like putting out fires any more than the next web shop.
And this is why we started offering our clients automated daily plugin updates. On the sites we host, we’re able to run daily updates on those sites, and use visual regression testing (fancy pants way of saying automatic snapshots of the site, taken throughout the update process, compared one to the next) to verify that nothing breaks, and if it does, we’re on hand to fix it before it takes your site offline.
Quality Hosting & Managed Daily Updates: The Best Defense Against Hackers Since 1517 C.E.
Long story short, if you want to keep your website safe from hackers, your best bet is to stop them before they even get in. Having a web host that’s always scanning for and responding to new threats and having your site’s plugins updated daily is your best bet. You can manage that on your own if you have the time, know how, courage, etc, or you can hire a shop like New Why to handle that for you. We’d love to help, and we hope we hear from you!