Why do some people hate or attack WordPress?
Here’s my definitive (and I hope objective) guide to why they’re wrong and what you can do to protect your site from becoming another victim they can trot out as an example.
Whenever someone gets their WordPress site hacked and asks for help, the top commenters tell them that WordPress is flawed and they should switch platforms as fast as they can. Why?
First, you need to research the commenters (which is easy, because many have a solution: “WordPress is bad, but I can fix it for you [DM me for a quote]” or “Never use WordPress, it’s deeply flawed, use this instead – [buy my product or use my affiliate link]”).
OK. I’m being a little cynical, but then I’ve seen enough of these responses so I guess I can be forgiven.
In between those ‘buy me instead’ comments are the odd comments from people who do use WordPress and are never hacked. Their advice is to tell you it will be a rogue plugin you bought via some internet marketers get rich quick scam (and it often is).
There are also many other genuine comments, often wrong through ignorance, which I hope this article will clear up. I’ve pointed to sources where relevant, but everything else is easy to research should you want to.
There’s one undeniable fact about WordPress. It’s the most used Content Management System (CMS) on the internet (by a long way).
According to W3Techs, the latest research shows that 32% of the web is run on WordPress. In terms of CMS platforms, and to give you an idea of just how far ahead that is, the next CMS contender is Joomla, which represents 3% (that’s still massive in terms of total sites, but tiny in comparison to the dominance of WordPress).
So if one-third of all sites are WordPress powered, it’s no wonder some WordPress sites get hacked.
To use an analogy, take a look at another battle: Windows vs Mac. According to Wikipedia, 75% of computer users use Windows and 20% use Mac. It’s no surprise Windows is hacked more often – if you’re a pirate, you’re always going to go after the biggest pot of gold.
Note: It’s also no surprise that Mac’s are less hacked because since 2001 they’ve been built on a variation of the most secure operating system on the planet – Unix.
Who Uses WordPress?
Here’s a brief list of some major sites who use WordPress:
(my question is, if WordPress was so flawed and easily hacked, why do these organisations still entrust their brand, money, and shareholder goodwill to it?)
Note: you can verify the technology behind each site on BuiltWith.com
- BBC America
- Sony Music
- MTV News
- Playstation Blog
- Sweden (yes the country’s global website)
- Microsoft News Centre
- Walt Disney
- Facebook Newsroom
- The New York Times (https://www.nytco.com/)
- Marks and Spencer for Business
- Rotary Club (business portal)
- The Rolling Stones
The list of internationally recognised brands using WordPress is massive, and since it’s trusted by one-third of the entire web, it’s quite obvious there’s going to be many famous people, businesses, global organisations and even sovereign countries who use it without issue, so hopefully you can begin to see the flaw in the argument that there’s something wrong with WordPress.
If hacking (or attempts of) is inevitable simply because of its popularity, there are two further questions to answer:
1. How Do I Stop My WordPress Site From Being Hacked?
Change your hosting provider to a WordPress friendly one. What does that mean? Many things, but here’s one of them:
Ask the provider if they use CPanel, and if so, ask if they use a dedicated WordPress installer such as Installatron (which has a CPanel plugin option – Installatron works on Plesk too by the way).
When using Installatron, make sure you turn on ALL the update and backup options. This will keep your WordPress install, your themes, and all your plugins up to date automatically and do backups for you in the background (by default you’ll get email notifications every time this occurs, but you can turn those off).
The type of hosting is not particularly important, shared is fine (which is the cheapest), but your top priority is speed, so choose a provider who talks about speed – and always prefer a hosting provider who offers Solid State Drives (SSD) over standard drives (you’ll know because they’ll push SSD in their marketing).
At the top end of the market, if you can afford a dedicated managed server, do it. It’s always better than shared (make sure it’s a ‘managed’ server unless you’re a Unix freak or employ one).
The other pre-requisite is an SSL certificate (Secure Socket Layer). This proves to the world that your site is secure and is a green flag for Google and other browser providers (your domain URL will start with HTTPS (as opposed to HTTP) and a padlock will be displayed when people view your site. If you value search engine optimisation (SEO), then this is a must.
Most hosting providers now offer this free using the Let’s Encypt service. Check first before you sign up.
For the WordPress site itself, the Golden Rule is avoid all plugins except essential ones. Especially avoid marketing plugins (or plugins that claim incredulous or ridiculous things).
The point is, if your words and images are good and your product is strong, you don’t need much else other than a site and a good marketing plan (ie. a way to identify prospects, find them and talk to them).
What Essential WordPress Plugins Do I Need?
I use themes that have as many of the essential WordPress plugin features built in as possible. This reduces code bloat and helps a site run a little faster.
The problem is, you have no idea if the theme itself is built with lean code in the first place, so with that in mind, here’s a list of my personal must-have WP plugins (and why they’re essential – they’re all free by the way – and where there’s a premium option, you don’t need it):
- Google XML Sitemaps by Arne Brachhold. Every site needs a sitemap to help search engines list all their pages. This is a very lean and simple plugin. An alternative is to use the Yoast SEO plugin, but honestly, if you spent more time focusing on your audience and caring about what you put out for them, you’ll build a stronger business than focusing on keyword counts and article length. Having said that, Yoast SEO does have a built-in Flesch-Kincaid readability checker, but you can do that easily enough with plenty of other free tools (often built into your word processor too if you use that to write your articles first – and in my opinion, all articles should be written offline in case your internet connection fails – I use Google Docs which has this feature).
- Jetpack by Automattic (sic) – the people who make WordPress – you cannot get more trusted than that. Jetpack is excellent in so many ways (there’s plenty more in the premium version, but honestly you don’t need it). The most obvious thing you’ll love are the built-in analytics – see what’s happening direct from your WP dashboard – you’ll still want Google Analytics (more about that later). It will also reduce your image size and so speed up your site loading time.
- Google Analytics plugins. There are at least 3 decent options here, but the one I prefer is Install Headers and Footers by WP Beginner. Unfortunately they haven’t updated it recently, preferring to focus on another option – Google Analytics Dashboard Plugin for WordPress by MonsterInsights (a plugin they acquired in 2016). The third option is Google Analytics Dashboard for WP by ExactMetrics. Insert Headers and Footers is the leanest option with the least features – but all we’re after from this plugin is the ability to link our site back to Google for analytical purposes.
- WPForms Lite by WP Forms. Simple plugin for adding a contact form to your site. Includes integration with Google’s ReCaptcha tool that stops automated spamming software from abusing your form.
- Redirection by John Godley. At some point you’ll accidentally delete a post or page – or rename an existing one, which will break any external links that others have created to it. That will result in 404 ‘page not found’ errors from search engines that listed it. The solution is to use a 301 Redirect to tell search engines where to go instead. That’s what this plugin does.
- LiteSpeed Cache by LiteSpeed Technologies. This will help speed up your site. There’s plenty of other options, but this is the one I use on most of my sites.
- Wordfence Security – Firewall & Malware Scan By Wordfence. Does what it says. The free version is fine.
There’s many more helpful plugins, but for the basics – Speed, SEO, and Security that’s all you need.
2. What Do I Do If My WordPress Site Has Been Hacked
Don’t panic. The first port of call is your hosting company. Get them to reinstall from the last successful server backup (pre-attack obviously). Ideally this will be a complete reinstall of your server space, not just your site – in case the malware of whoever hacked your site got further than your WP installation.
If you’re quite certain it only affected your site and not your server (I have no idea how anyone could be that certain) and you’re sure it wasn’t hacked the last time a back up was made, then you can try reinstalling that backup. Programs like Installatron make this super simple – as I said earlier, make sure your hosting company supports it.
If you’ve got no backups and your hosting company say they haven’t got any either, then a) change hosting provider, and b) employ a skilled technician to attempt to restore it for you. If it’s only a matter of a few pages, you will find it far cheaper to redo your site from scratch.
For that reason, I cannot express often enough how important it is that you create ALL your pages and posts in separate software first, then copy and paste into your WordPress site. It’s for that reason I use Google Docs. I get automatic backups of my articles (including revision history) and I know that I can recreate anything with relative ease should a complete disaster happen.
WordPress is everywhere. WordPress is trusted. WordPress is the most supported platform on the internet bar none. It gets hacked because:
a) People forget to update their installation (there’s no excuse for that as it can be automatically updated for free – see above)
b) People install dodgy plugins not listed on the official WordPress.org website – or they use plugins with bad reviews or few users
c) It’s the most obvious target for hackers because it’s so popular.
To ensure your WordPress site is as secure and fast as possible:
1. Choose a WordPress friendly hosting company (find out how above)
2. Only use trusted themes and plugins
3. Ensure everything is backed up and updated automatically on a regular basis.
Do that and you’ll be fine – just like all those trusted global names, organisations and countries that have chosen and relied on WordPress since 2003.