As the WordPress CMS powers almost a quarter of all Internet websites, hacking and security issues are unavoidable since not all website owners are attentive or security focused. Once hackers find a way to breach one of those millions of websites that use WordPress, they start scanning other sites for these vulnerabilities.
I want to note that WordPress vulnerabilities go beyond its core engine and have to do with plugins and themes users install. Some other security issues occur too. According to Aussie Hosting, 15% of website hacks were due to Brute Force attacks while over 65% came from plugin related issues. This was irregardless of people using cheap hosting or premium hosting options.
Most Common Security Problems
• Brute Force Attacks
Brute force attacks are those that involve the try-and-see technique entering different usernames and passwords again and again until a successful mixture is found. The brute force attack technique is the simplest method to access to your WordPress website.
By default, WordPress platform does not limit the number of login attempts. So, hackers can use bots to attack the login page. Even when brute force attacks fail, their repetitive nature may wreak havoc and overload your server and system. Some hosting providers can suspend your account once you are under a DDoS or brute force attacks, especially when you selected the shared hosting plan.
• File Inclusions
The next popular method to access your site is exploiting vulnerabilities in WordPress PHP code. This is a very common security problem among webmasters. Attackers upload their files using outdated and vulnerable WordPress PHP code.
• SQL Injections
Most WordPress websites utilize popular MySQL databases. Attackers find vulnerable databases and gain access to them via MySQL injections thus obtaining control over all your data. Using SQL injections, hackers can even create new admin accounts to login to your site and get access to your website. SQL injections are also used for inserting new information into the database, such as web links to spam or malware-hosting websites.
• Cross-Site Scripting
Almost 85% of all vulnerabilities on the Internet have to do with Cross-Site Scripting attacks (XSS). Cross-Site Scripting issues are most often found in WordPress themes and plugins.
During Cross-Site Scripting attacks hackers find a way (possibly with the help of social engineering) to make a victim to visit the website with malicious JavaScript codes. Malicious scripts are used to download (without the user’s knowledge) malicious files – malware that steals data from browsers. One of the Cross-Site Scripting attacks looks like this: a hijacked contact form that resides on your WordPress website sends all input data that visitors enter – to the attacker.
• Malware
When we say: “This website is hacked,” we mean that some sort of malware has been inserted into its code. Though there are millions of malware types on the Internet, WordPress is rarely vulnerable to most of them (if you practice regular security updates). The most common WordPress malware infections are:
- Backdoors
- Redirects
- Drive-by downloads
Luckily these malware types can be identified and cleaned either by antivirus, manually, or by installing a new WordPress version.
What puts your WordPress website at risk?
• Weak Passwords
This issue can be easily avoided. Your admin password should be very strong. It should consist of different characters, symbols, and numbers. In addition, this password should not be used anywhere else.
• Failing to update plugins, themes
Outdated WordPress versions, plugins, themes often contain vulnerabilities. Often, publishers issue new versions because they fix security problems found in the previous code. It is crucial to always update your WordPress website.
• Using nulled plugins and themes
Plugins and themes are always potential risk factors. Security best practices dictate us to download and install themes and plugins only from reputable websites like the WordPress.org itself. Stay away from free versions of premium plugins or themes advertised on torrent websites, they almost always contain backdoors.
How to protect your WordPress website
• Use strong passwords
In case by some reason you are now using a short password that has only 6 characters or less, please change it right now. In case you use this current password with other websites or online services, please change it right now. If you are using the same password for about 6 months or even more, please change it right now.
• Use multi-factor authentication on your WordPress website
Multi-factor authentication is a great extra security layer that may efficiently enhance the protection of your site. Together with login and password pair, an additional code (usually time-sensitive) is needed to enter the website admin panel. You get this code from apps like Google Authenticator. Multi-factor authentication is the best way to block hackers from accessing the WordPress login and minimizes other attacks like brute force attacks.
• Your WordPress website should be always updated
WordPress developers do their best to protect you from new attacks. For this, you have to install new updates. It is sometimes necessary to install updates on a weekly basis. Yes, it is sometimes not very convenient, but this is the best way to avoid new WordPress security problems. Do it right now, login to your website and check for updates. Run new update in the case is it is available now. Please update both WordPress core and also all your themes and plugins.
• Schedule regular virus scans
Try to follow new and potential virus infections by scheduling regular antivirus scans. A lot of services and plugins offer this feature. They provide you with detailed reports about your WordPress website status and also offer blacklisting and whitelisting services. You can also signup for regular malware scan services with your hosting providers. Godaddy offers this service.
• Create a backup plan
Your systematic and complex security strategy of protecting the WordPress website should include a profound backup plan. Enable regular scheduled backups using automatic tools. Be sure to make several backups. Store them both off-site on unconnected flash drives and use cloud services. Write restore guide for quick restoration in case of a sudden attack.