The Grumpy Designer Takes on WordPress Malware
While some professions fade over time, there will always be a need for web designers. Why? Because with each passing year, the job becomes more complex. New responsibilities arrive that extend beyond the reach of automated and no-code tools.
Website security is a prime example. It has always been a concern – even when I started on this path back in the mid-1990s. Back then, the primary concern was a hacked FTP password or an angry ex-colleague defacing/wiping out files. These days, it’s so much more. Kind of like a pesky bug that has morphed into a massive sea monster.
And that monster has fully wrapped its tentacles around this grumpy designer. Work has become a vicious cycle of malware infection, cleansing, and reinfection. Then repeat.
The main target of the monster’s malevolence is WordPress. That shouldn’t come as a surprise, as the content management system (CMS) is constantly under attack. It comes with the territory of powering over 40% of the web.
Sadly, I know I’m not the only one facing this sort of debacle. With that, I wanted to share a few rants, thoughts, and suggestions for putting that monster back in its place.
Being Careful Isn’t Good Enough
The cold reality of website security is that there are no guarantees. Virtually every site can be compromised by malware. It happens to even the most careful among us.
As it applies to WordPress, being careful means keeping a few basics in mind:
- Vetting the theme and plugins we install;
- Routinely applying updates;
- Using secure and complex passwords;
- Hosting the site on a service that takes security seriously;
- Ensuring that file permissions are in line with WordPress recommendations;
- Adding extra layers of defense such as security plugins and firewalls;
While there’s more to it than that, the above actions provide a solid foundation. The idea is to protect against the most basic kinds of attacks. Hopefully it also deters some more complex attempts as well.
The frustrating aspect of this approach is that you’re only as strong as the weakest link in your security. Even reputable plugins can contain security holes. And there is a multitude of vectors an attacker can use to cause trouble – including some that we have no direct control over.
Therefore, being careful isn’t good enough to ward off every attack.
Cleaning up a Hack Is a Drain on Resources
Despite taking steps to avoid security issues, hacks still happen. And when they do, cleaning up the aftermath can be an arduous task.
The process involves identifying any malicious files – including legitimate WordPress core files that could have been modified. Security scanners like those found in the Wordfence plugin can help to identify files, but there are caveats.
If a site’s administrator account has been compromised, or an attacker used a security hole to gain access to the WordPress dashboard – all bets are off. They’d have the ability to deactivate a security plugin. From there, they could wreak all sorts of havoc while staying undetected.
Plus, determining how malware found its way onto your site is rarely simple. I can’t count the number of times I thought I had found the culprit, only to be proven wrong after subsequent infections. It often takes combing through files and studying security blogs to get an answer. Yet some issues can remain a mystery.
Not only is this stressful for everyone involved, but it also hampers your ability to work on other projects. A security breach is an all-hands-on-deck type of situation. If you happen to be a freelancer, then your hands are inevitably tied up with fixing a hacked site.
What Else Can Web Designers Do?
As I previously mentioned, there’s only so much within our control. Web designers can make informed decisions, but our projects can still fall prey to malware. In some ways, it seems like a hopeless situation.
However, security threats aren’t going away. If anything, they’ll continue to grow exponentially. That means we have to keep on trying.
Here are a few strategies that could help:
Become a Plugin Minimalist
While it’s never a good idea to keep unnecessary WordPress plugins installed, it can also be dangerous. That’s why it’s worth removing anything you don’t need.
In some cases, it may be worth creating a barebones custom plugin when possible. Malicious bots attempt to sniff out known vulnerabilities within WordPress core and specific plugins. This may be a way to reduce risk while still maintaining functionality.
Regardless, it’s also a good idea to keep up with what’s happening with the plugins you do install. Make sure they are regularly updated and try to avoid any that are no longer maintained.
Ask Clients to Invest in Security
Security can become a significant part of a web designer’s job. A lot of work goes into strengthening a website and mitigating any issues that arise. But our pricing doesn’t always reflect that reality.
Thus, it makes sense to ask clients to invest in this area. By recommending security-related tools and services, you’re proactively adding extra layers of protection. And by including regular security checks in your maintenance packages, you’ll be keeping a watchful eye on what’s happening.
Another benefit of this strategy is that you’re raising awareness of security. When clients have a better grasp of the subject, they’ll be more likely to take preventative measures.
Make a Plan for Cleanup
It’s safe to say that none of us want to deal with a hacked site. We do everything we can to try and prevent it from happening. And…it happens anyway.
As such, it’s better to prepare for this scenario rather than bury your head in the sand. Develop a process that helps you efficiently clean up a compromised site.
It may not always work the first (or second) time. But each failure is a good learning experience. Eventually, you’ll refine the process and increase your odds of success.
Get Some Professional Help
Managing website security is messy and frustrating – enough to put any of us into therapy. That kind of professional help is always welcome. But it’s not the kind I’m talking about here.
Rather, I’m talking about working with security professionals. For example, services that help to lock down your client’s websites and rid them of any infections.
There’s a cost involved – one that you can pass along to your clients. And it may just save your sanity in the long run.
Malware Chaos Is the New Normal
In some ways, securing a website is like a game of cat-and-mouse. For every gap you close off, another one appears. Malicious actors are constantly evolving their methods for penetrating WordPress and other platforms. And none of us are immune.
This makes our job more difficult and time-consuming. And it also makes website maintenance more expensive for our clients.
Certainly, this is not what I envisioned when I started as a web designer. It’s unlikely that many of us got into this industry because we enjoy cleaning up malware. But like it or not, this is the new normal. And we’re the last line of defense against this proverbial sea monster. We can’t afford to go down without a fight.