Advanced Ads is restrictive about who can manage ads on your site. By default, this is only the admin. However, allowing all kinds of codes in the Plain Text ad type is still a risky business if you just copy and paste ad codes from external sources. I wanted to use this article to give some advice on how to increase security when handling ads.
Sanitize input data
When you are writing your own code, especially PHP, then you should make sure that you don’t use data from sources that could be manipulated. At least sanitize these values with the appropriate functions WordPress provides.
You should also be aware that a broken PHP code can just break the frontend of your website.
If you are not the only one working with ads on your site, you might want to set the ADVANCED_ADS_DISALLOW_PHP constant in your wp-config.php and disable the PHP option completely.
Secure ad networks
The biggest thread when running ads are codes from ad networks. There is a new ad network every other day, and it is hard to keep track on all of them. It happened more than once to me as a publisher that an ad network was not delivering the “secure” and “family friendly” ads they promised in the first place and instead displayed spammy ads to dubious URL on my websites.
That might not be a security risk to you, but it is to your visitors, who might find your site a non-trustworthy resource when seeing those ads.
Limiting backend access
An obvious suggestion is not to give away backend access easily. I know that we are asking for it from time to time in support to speed up the process of helping you. It is on you to decide whether you trust us with that kind of access.
In any case, you should never give away your personal account details and always create a new username for each entity with only the necessary capabilities. You should also remove the access when the work is done.
It is not directly ad-related, but could indeed be the cause why your site suddenly shows content that wasn’t there before. When I was still working as a freelancer I had to clean up multiple sites from malicious code, and it always came through insecure passwords, especially to FTP accounts.
WordPress already suggests better passwords, but make sure you also use complicated and long passwords for FTP accounts.