Worldwide WordPress Hack - And Why You Should Consider Moving Your Website To A Different CMS
Over the past week our development team have been fending off a significant cyber security attack on a number of websites we host, part of a worldwide hack attempt affecting over a million websites. In light of the scale and sophistication of this attack, we are no longer recommending WordPress as a website platform.
So what is this hack, why did it affect WordPress websites and what are the alternatives to WordPress?
What is the hack?
WordPress is a content management system (CMS), a platform for building websites that can then be edited and updated.
There has been a significant hack attempt on over a million websites which relates to a specific WordPress plugin called File Manager. File Manager was updated with a new security patch just last week, but it seems as if this plugin was compromised before then. This article explains more: https://www.zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/
This particular malware, however has been concealed within image files, making it very difficult to detect - see this article: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hiding-webshell-backdoor-code-in-image-files/
The risks of WordPress
According to ZDNet, 90% of all websites hacked in 2018 were WordPress websites. WordPress is open source software, so the code is freely available online to anyone, including hackers. WordPress also needs to be regularly updated to the latest version - if not, older versions can become vulnerable.
The basic WordPress platform is limited, and most sites rely on multiple 'plugins' for SEO features, forms, editing/design. These plugins are additional software products built by third party developers - and each of these plugins is a potential door into your website for hackers. The more of these plugins you have, the greater the chance of security breaches if these plugins become unsupported, outdated, or if a hacker simply finds a vulnerability.
A design shortcut often used to build quick, cheap websites is to used pre-built themes - these themes are also created by third party developers and can't always be fully relied upon for security. Themes, like plugins, will also need to be updated regularly - and if not they can be compromised.
WordPress is the world's number one website platform - and the combination of possible vulnerabilities together with the fact it is the platform of choice for so many businesses means it is a target for hackers.
How JDR Group limit these risks when building, hosting and managing WordPress websites
- Limiting sites we build ourselves to 3 plugins, hard coding features to minimise third party plugins and software
- Creating custom themes which we build ourselves, rather than using 'off-the-shelf' themes
- Hosting websites in small, containerised groups of 20 sites so that if one site becomes 'infected' the virus spread is limited
- Installing malware and virus protection on our sites and servers
- Monitoring all our sites for any attempted security breaches
- Monthly updates to all plugins
Nevertheless, the nature of the WordPress platform, the frequency of hack attempts and the easy access to the code which all hackers have means it is very difficult to ensure 100% security.
As a result, we are advising any WordPress customers or would-be WordPress users to consider switching to a different platform.
Alternatives to WordPress
There are many other website platforms available. For information-only/brochure websites, alternatives include Drupal, Joomla, Concrete5, Wix, HubSpot, Umbraco and MODX.
For Ecommerce websites, alternative platforms include Shopify, Magento, Opencart, Prestashop and BigCommerce.
We can build and manage websites in most platforms, however we are recommending using a hosted website platform to minimise the risks of attacks on your website and also to provide the best long-term platform for your single most important marketing asset, your website.
Hosted Website CMS Platforms
In our businesses, we all use hosted, subscription-based software - Office 365, Google Drive, Zoom, Dropbox, Xero, Sharepoint. This type of software does not get out of date, become obsolete or require updating - it is constantly updated and improved as part of the subscription. Hosted website CMS platforms work on the same basis - you pay a monthly or annual fee but then you don't need any maintenance, hosting, or updates. New features are then added and updated over time as the platform improved, and the platforms are constantly updated to be optimised for Google/SEO, for speed, for user experience, and for security.
These platforms are much more secure - the code is not freely available, they have sophisticated security built-in and the don't rely on third-party plugins. There are two platforms in particular which we recommend, HubSpot CMS and Shopify.
HubSpot CMS - For Brochure-Style Websites
Our preferred development platform for information-only/brochure-style websites is HubSpot. A premium platform which starts at £245 per month, HubSpot has no plugins, requires no updates, and has robust security. It has a number of other benefits when compared with WordPress - you can read more in our article comparing WordPress and HubSpot CMS. Beyond security alone, other benefits include:
- Integrated CRM system
- Build-in marketing features including pop-ups, calls to action, email marketing, forms, live chat/chat bots
- SEO tools
- Blogging platform
- Dynamic, personalised content - change page layouts, messages and calls to action according to WHO is visiting your site. This allows you to show a different message to an existing customer vs a new visitor, for example - or to show different messages to customers from different industries.
- AB testing - improve how your website performs by testing alternative versions of your pages
HubSpot allows you to manage all of your digital marketing, your website, your sales and your customer service - all in one platform. For more information go to HubSpot.com/products/cms or book a meeting with one of our team for a demo and to assess your options.
Shopify - For Ecommerce Websites
Shopify is our preferred platform for Ecommerce websites - JDR design and build custom Shopify themes, and Shopify then provides a scalable, powerful hosted Ecommerce website platform. With pricing plans from just $29 a month, Shopify allows you an affordable starting point for a start-up Ecommerce site which can be upgraded and expanded as your online business grows and matures.
In fact, some of the worlds biggest brands build their websites on the Shopify platform, including Heinz, Staples, and Lindt.
Is It Time To Move Website Platform?
If you are thinking about the costs involved in an exercise like migrating your website away from Wordpress, please also consider the cost to your business should a security breach occur on your current set up. Cyber crime is becoming more sophisticated and more main stream. Small businesses are being targeted, it is not just larger firms anymore. If you'd like to consider a new website project, or to migrate an existing website to a hosted CMS platform, then get in touch - you can book a call with us to discuss your options using our online calendar.