number one rule of website security

In case you haven’t noticed, the zombie apocalypse is well underway.  Unattended WordPress websites have been taken over by malicious actors who control botnet gangs that suck the life from their visitors and other blogs.  Zombie sites are used for denial of service attacks on other sites, show unwanted advertisements, and attempt to drop virus files on unsuspecting visitors.  Don’t let your site become a zombie.

From Sucuri’s Hacked Website Report 2017:

“In most instances, the compromises which were analyzed had little, if anything, to do with the core of the CMS application itself but more with its improper deployment, configuration and overall maintenance by the webmasters.”

Sucuri identified three main factors to a site being hacked: improper deployment, not being configured correctly, and lack of overall maintenance.

For most WordPress users, the site is deployed onto a hosted platform, often using an easy install.  This is not the issue.  The deployment issue is tied to the hosting environment, whether it is provided by a hosting service or the site owner manages their own server (virtual or otherwise).

Configuration is done during installation and roll-out, or when new features are added. This is when security features are put in place, whether it be an SSL certificate or a security plugin.

In this article, I’m focusing on the last point, maintenance, which brings us to the Security Codex number one rule of website security:

“The number one rule of websites security is that someone needs to be paying attention.”

Being attentive is the opposite of being a zombie.  Let’s look at what paying attention to your WordPress website involves.


Have you ever written a long essay or letter in your word processor and had your computer crash, restart for updates, or accidentally close your document without saving?   It is extremely frustrating, and you lose hours of work.  Now, imagine how much time and effort you have put into your website and its content.  How long would it take you to recreate your site and all of its content?  You get the idea. In addition to being able to recover from a mistake, backups can be used to restore a site to a known good state before the hack took place, if you have good backups.

During regular website maintenance, you should check your backup location to make sure you have not run out of disk space.  You should check the dates of the backups to make sure backups are still occurring at the correct intervals.  Periodically, you should test your backups by restoring the site to a testing, staging, or development environment to make sure that there is no corruption and that all of the needed content is included.


Hackers search for sites running old versions of WordPress core and old versions of themes and plugins.  Security holes were patched, but if you don’t update then you are a sitting duck for the malicious actors.  Of course, in addition to patching security holes, updates also maintain comparability with WordPress core and add new features.  Maintenance involves keeping WordPress, themes and plugins up to date.

Alerts, Monitoring, Logs

These are setup when the site is configured, but requires someone paying attention.  Are alerts sent to an email address that no one checks?  Has email stopped sending from your site so that you are not getting alerts of contact form submissions?  Do you have up-time monitoring in place?  Do you know how to check the PHP and Apache server logs?  Checking the logs and checking that the alerts are still in place is another function of regular maintenance.


Website maintenance can be boring.

We have Alexa and Google Home for our homes, but unfortunately, we don’t have them for our home page … yet.

It’s not too bad it you only have one site, but if you cannot check your site at least once a week then you should either arrange a maintenance plan with a 3rd party or use a managed solution that handles it for you.

People with multiple sites can streamline the process by using management tools like MainWP, ManageWP, or other services that allow you to check and update multiple sites at the same time.

Some of the links in the post above are “affiliate links.” This means if you click on the link and purchase the item, I will receive an affiliate commission. You will still pay the same amount so there is no extra cost to you. I am disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.”

Similar Posts