Over the past week our development team have been fending off a significant cyber security attack on a number of websites we host, part of a worldwide hack attempt affecting over a million websites. In light of the scale and sophistication of this attack, we are no longer recommending WordPress as a website platform.
So what is this hack, why did it affect WordPress websites and what are the alternatives to WordPress?
WordPress is a content management system (CMS), a platform for building websites that can then be edited and updated.
There has been a significant hack attempt on over a million websites which relates to a specific WordPress plugin called File Manager. File Manager was updated with a new security patch just last week, but it seems as if this plugin was compromised before then. This article explains more: https://www.zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/
This particular malware, however has been concealed within image files, making it very difficult to detect - see this article: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hiding-webshell-backdoor-code-in-image-files/
According to ZDNet, 90% of all websites hacked in 2018 were WordPress websites. WordPress is open source software, so the code is freely available online to anyone, including hackers. WordPress also needs to be regularly updated to the latest version - if not, older versions can become vulnerable.
The basic WordPress platform is limited, and most sites rely on multiple 'plugins' for SEO features, forms, editing/design. These plugins are additional software products built by third party developers - and each of these plugins is a potential door into your website for hackers. The more of these plugins you have, the greater the chance of security breaches if these plugins become unsupported, outdated, or if a hacker simply finds a vulnerability.
A design shortcut often used to build quick, cheap websites is to used pre-built themes - these themes are also created by third party developers and can't always be fully relied upon for security. Themes, like plugins, will also need to be updated regularly - and if not they can be compromised.
WordPress is the world's number one website platform - and the combination of possible vulnerabilities together with the fact it is the platform of choice for so many businesses means it is a target for hackers.
Nevertheless, the nature of the WordPress platform, the frequency of hack attempts and the easy access to the code which all hackers have means it is very difficult to ensure 100% security.
As a result, we are advising any WordPress customers or would-be WordPress users to consider switching to a different platform.
There are many other website platforms available. For information-only/brochure websites, alternatives include Drupal, Joomla, Concrete5, Wix, HubSpot, Umbraco and MODX.
For Ecommerce websites, alternative platforms include Shopify, Magento, Opencart, Prestashop and BigCommerce.
We can build and manage websites in most platforms, however we are recommending using a hosted website platform to minimise the risks of attacks on your website and also to provide the best long-term platform for your single most important marketing asset, your website.
In our businesses, we all use hosted, subscription-based software - Office 365, Google Drive, Zoom, Dropbox, Xero, Sharepoint. This type of software does not get out of date, become obsolete or require updating - it is constantly updated and improved as part of the subscription. Hosted website CMS platforms work on the same basis - you pay a monthly or annual fee but then you don't need any maintenance, hosting, or updates. New features are then added and updated over time as the platform improved, and the platforms are constantly updated to be optimised for Google/SEO, for speed, for user experience, and for security.
These platforms are much more secure - the code is not freely available, they have sophisticated security built-in and the don't rely on third-party plugins. There are two platforms in particular which we recommend, HubSpot CMS and Shopify.
Our preferred development platform for information-only/brochure-style websites is HubSpot. A premium platform which starts at £245 per month, HubSpot has no plugins, requires no updates, and has robust security. It has a number of other benefits when compared with WordPress - you can read more in our article comparing WordPress and HubSpot CMS. Beyond security alone, other benefits include:
HubSpot allows you to manage all of your digital marketing, your website, your sales and your customer service - all in one platform. For more information go to HubSpot.com/products/cms or book a meeting with one of our team for a demo and to assess your options.
Shopify is our preferred platform for Ecommerce websites - JDR design and build custom Shopify themes, and Shopify then provides a scalable, powerful hosted Ecommerce website platform. With pricing plans from just $29 a month, Shopify allows you an affordable starting point for a start-up Ecommerce site which can be upgraded and expanded as your online business grows and matures.
In fact, some of the worlds biggest brands build their websites on the Shopify platform, including Heinz, Staples, and Lindt.
If you are thinking about the costs involved in an exercise like migrating your website away from Wordpress, please also consider the cost to your business should a security breach occur on your current set up. Cyber crime is becoming more sophisticated and more main stream. Small businesses are being targeted, it is not just larger firms anymore. If you'd like to consider a new website project, or to migrate an existing website to a hosted CMS platform, then get in touch - you can book a call with us to discuss your options using our online calendar.