WordPress is a highly popular platform and with such a large market share it is a target for hackers. As with anything that is popular it becomes a target because there are so many opportunities in the marketplace.
Many people like to claim that WordPress is a target because it’s not secure however this simply isn’t the case. Just like Windows operating system on computers, WordPress has a large user base and it is this large user base that makes it a target.
During one of the worst security breaches for WordPress over 18 million WordPress users were reportedly affected. Data shows that around 73% of well known WordPress powered websites have vulnerabilities.
What this generally means is that the owner of those sites has either not kept their website up to date or they have made poor choices during the build process, or during the security hardening process.
In most cases the common attack types on WordPress sites can be effectively combatted and prevented. Let’s look at these key problems and how you can best combat them.
Most WordPress websites heavily rely on the use of plugins to add functionality to the site. WordPress was designed to be scalable and by nature rely’s on third party developers to create and maintain a range of plugins that you can use on your website.
This reliance on plugins is one of the reasons WordPress is so popular but also one of the largest security vulnerabilities. Plugins are always generally written with good intentions in mind but often small code related issues cause a plugin to have a weakness.
On average anywhere between 50% and 60% of all WordPress related attacks can be attributed to plugins. This is due to 2 key points and they are as follows:
- The developer has nefarious intentions – Where an opportunity exists their is always those who will exploit it and whilst 99% of plugin developers are not like this some are.
- The login has a code vulnerability – Hackers intentionally look for small pieces of code that creates an opportunity to bypass the security in the website.
In order to prevent this style of attack you simply need to try and follow these couple of rules and you will be less likely to be successfully attacked.
Update Your Plugins Regularly – By updating your plugins on your website on a regular basis (at least weekly) you will be mitigating your risk of being hacked.
Use A Security Plugin – Install a security plugin that will help to identify the vulnerabilities and protect you to a point from exploits for those plugins.
Avoid Using Abandoned / Old Plugins – When your looking for a plugin to use on your website take a look at when it was last updated. Is the plugin updated by the developer regularly? If the plugin has not been updated in the last 12 months then there is a major risk it could be vulnerable.
Brute Force Attacks
The next most common attack faced by WordPress users is brute force attacks. In a brute force attack a hacker will most likely leverage a small piece of software that will hundreds or even thousands of password guesses to try and forcibly access your system.
This leads back to making sure that you have good strong password and login credentials. Believe it or not but some of the worst habits users have is to use easily guessable usernames such as admin, test, or administrator. Aside from easy to guess usernames the next issue is using poorly constructed passwords such as 12345, letmein and password.
We recommend making sure you utilise a strong password that contains a good mix of uppercase and lowercase characters, numbers and symbols. An example of a good secure password could be AjM45$hit89%# of course don’t use that password go ahead and try making your own or why not use a website to help you generate a strong password. One such tool you could use is http://strongpasswordgenerator.com/ or you could use the built in password generator that comes with WordPress itself.
You can always strengthen your login security by adding 2 factor authentication such as Google Authenticator. Two factor authentication will make brute force attacks on your website close to impossible to complete.
WordPress Core Vulnerabilities
Just like it is important to make sure your plugins are up to date it is also critical to make sure WordPress itself is up to date. We know that WordPress itself can be just as vulnerable as the plugins and themes it uses and that’s why you should also make sure your WordPress installation is running the latest version.
Hackers are always looking for the holy grail of WordPress weaknesses and they are the vulnerabilities in the WordPress core system. Because any vulnerability in the core opens up the potential to attack every WordPress site running the same version.
Fortunately for us the WordPress development team and community are regularly patching and fixing minor and major vulnerabilities. This means each time a new version of WordPress is released any bugs and exploits that are known are typically patched or fixed.
If we could give you one key takeaway from this article is make sure everything is up to date at least weekly. This includes all plugins, the WordPress core and any themes used.
Malware, Phishing and DDoS Attacks
This is not a WordPress specific issue and can affect websites of almost every type.
Malware for a website is much like malware for computer software in that it is a small piece of software that creates a vulnerability or backdoor into your website.
Phishing in regards to a website is where additional content is added in hidden places on your site that pretend to impersonate other websites. The most common sites impersonated are banks, government departments and billing software platforms. A phishing attack on your website hurts your websites reputation, the server it’s hosted on’s reputation, and can lead to being blacklisted by search engines and security companies globally.
DDoS attacks or Distributed Denial of Service attacks are where a hacker effectively sends so much fake traffic to your website that your hosting server can’t cope and shuts down or crashes. This disruption to your services is usually a connected network of already compromised websites and computers that all attack your website at the same time. This is also known as a botnet.
To get around this and to mitigate your risk we recommend utilising good quality hosting, and scan your site regularly for malware. You can scan your website for common security issues using the Sucuri Sitecheck tool which you can access here https://sitecheck.sucuri.net/ we also recommend installing security plugins on your website such as Sucuri or WordFence both of which are available on the WordPress repository.
Make sure you follow some basic common sense practices when it comes to securing and protecting your website investment. Yes keeping on top of security and maintenance for your website can be time consuming. If you don’t have the time you can always look at website designers or developers who have care and maintenance plans that will look after this for you.