WordPress is currently powering 29% of all websites, making it the most popular Content Management System going. As a result, hackers are constantly looking for new ways to get around WordPress’ security so they can hack as many sites as possible.
This has generated accusations that WordPress isn’t a secure option for brand and businesses to use to build their sites and has spurred on a phobia of being hacked. Sure, sites do get hacked but typically if a site has been hacked the owner has been lackadaisical with managing the site’s security and software updates.
In this article, the most common WordPress security vulnerabilities will be detailed as well as ways to prevent your site from getting hacked, which will hopefully clear up that hack-phobia and put your mind at ease. Although the article is primarily focused on keeping WordPress sites safe, most of the security tips mentioned are relevant to websites and online applications of all sorts.
Why Do Hackers Hack?
If you’re operating an eCommerce site, the motivation of a hacker is obvious. The hacker was likely after your user’s credit card information. However, the motivation of a hacker is not always so clear. If you own a small personal website or a brochure site that holds no sensitive information, then why would anyone bother hacking your site? What could they possibly get out of it?
Botnet: A hacker may be looking to add your website and server to their botnet. A botnet is a collection of hacked machines/servers, which hackers would use to perform DDOS attacks. Distributed Denial of Server (DDOS) attack is an attempt to bring down a website or online service by overwhelming its traffic from multiple sources. The more hacked machines the hacker has in their botnet, the more capable they become in bringing down larger websites and services.
Email Spam: The hacker may be after your email server, using it to send out spam emails by piggybacking on your server’s good reputation to ensure the spam is successfully received by mailboxes.
Vandalism: A hacker may be looking to alter the site’s content to spread their own agenda or political message, which would generally be too extreme or controversial to be posted on conventionally. They may also be just looking to deface the website with inappropriate content, purely for their own enjoyment.
Ransom: Taking a website ransom is a common reason a site may be hacked. The hacker will remove or encrypt the site’s content and replace it with a ransom message, stating they will only restore the website if their demands are met. Money is the prime motivation for the ransom.
E-Commerce: Some may just be trying to piggyback on your website’s visibility in order to sell their products. If you’ve ever seen pages on a trusted website that appear to be selling prescription medications or viagra then, guess what, they’ve been hacked.
Phishing: Phishing involves tricking people into giving out their personal information to what they think is a trusted source. Hackers may look to use your sites good reputation to bait users into giving away personal details by creating dummy forms that send users credentials to their server instead of yours. They may also pepper the site’s content with links to other websites, tricking users away from your site onto their site.
WordPress Security Vulnerabilities
Hackers very rarely personally hack a website themselves, as in, they almost certainly haven’t found your website themselves and thought, “I’m going to hack this site! Mwahahaha!”. The vast majority of hacks are performed automatically by bots.
These bots crawl the web searching for sites and attempt to execute malicious code on these sites. When your site has been hacked, one of the scripts the bot has executed ran successfully because it found a security vulnerability on the site allowing it access to core file and/or the database.
So preventing these bots from hacking your site is a matter of ensuring there are no conditions in which the scripts it executes can run successfully. There are four primary ways in which a bot will be given the opportunity to hack a WordPress website:
A Theme is a code that gives a WordPress website it’s structure, styling, and functionality. Old or unmaintained themes pose a security threat to WordPress sites. Typically, a theme owner will release an update to plug the security vulnerability. However, if a theme has been abandoned by the owner or it hasn’t been kept up to date on your site then you will be more at risk of being hacked.
The best way to prevent this is to ensure your theme comes from a reliable source. Buying a random theme can be risky as you never know when the creator will just stop supporting the theme.
You can also see when a theme was last updated. If it looks like the theme hasn’t been updated in over a year, then that’s a good sign to avoid it. Additionally, try to avoid themes with poor reviews, low star ratings or that have very few reviews and star ratings.
Better yet, have a custom theme built by an agency! It will ensure that your site is well maintained and built to your exact specifications.
Out of Date / Abandoned Plugins
A Plugin is an additional piece of coded functionality that is “Plugged in” to a Theme. There are thousands of plugins available to download and it can be tempting to download plugins on a whim. However, this is unwise as the more plugins a site has, the slower the site becomes and more potential security vulnerabilities emerge. It also makes a site more difficult to maintain since each plugin relies on their creator to update, then you become more reliant on these creators to keep the plugin’s code up to date. If these plugins aren’t kept up to date, you put your site’s security and functionality at risk which is why it is important to not rely on plugins too heavily for general site functionality.
Plugins come in all shapes and sizes, and the amount of access they have to your site can vary from minimal access to full administrative access. This is why it’s very important to keep plugins updated.
Updates to plugins typically won’t include new full-blown features, they are usually bug fixes and security updates and changes to ensure the plugin will function correctly with the most up to date WordPress version.
Out of Date Core WordPress Files
Same as plugin updates, the core WordPress updates include security updates to protect your site against newly discovered security vulnerabilities. For example, at the time of writing this article, the most recent core update (at the time of writing this article) was version 4.9.2. This update included no new features but plugged an XSS vulnerability (Cross-Site Script, which allows hackers to inject malicious code into a site that is viewable by other users). The update also included 21 other bug fixes.
Bad Usernames and Weak Passwords
When a bot finds a login form, it has the ability the make a large number of login attempts in a short amount of time. The bot will typically have a list of the most common usernames and a list of the most common passwords and will attempt to find a valid combination to gain access to your site’s administrative dashboard. This is known as a Dictionary Attack.
If your site has a firewall with the correct configurations, the bot will be limited in the number of login attempts it can perform but it will still be able to perform a few attempts before being blocked. If you have a bad username and weak password, those attempts may be enough to hack your site.
If you see a password you use on this list for ANYTHING then it is highly recommended to change it immediately. Some of the most common passwords include:
The site https://www.f-secure.com/ will automatically generate a strong password for you to use, just be sure to keep note of the password in a secure place.
Same as passwords, using a common username will increase the chance of your site being breached by a Dictionary attack. Common usernames to avoid include:
Statistics from the WPScan Vulnerability database show that plugins account for 54% of all WordPress security vulnerabilities, themes account for 14.5% and the core files account for 31.5%.
This may look like that WordPress is extremely insecure, but preventing these vulnerabilities is simply a matter of keeping your WordPress version, plugins and themes updated. When a hack occurs through these vulnerabilities, it is vastly due to the site’s software not being kept up to date.
Ways to Keep Your WordPress Site Safe
01 Keep Regular Backups of your Site
Keeping regular backups of your site can ensure that in the event your site is hacked, there is a clean version you can revert back to. Once the site is reverted, it is vital to update all the site’s software and change user’s passwords to ensure the site is not hacked in the same way again.
02 Keep all your Themes, Plugins and Core WordPress Files Updated
Keeping your themes, plugins and WordPress version updated will drastically reduce the chance of your site being hacked. For additional security, remove any unused themes and plugins. If they are not being used then they are dead weight as they take up memory and are another unnecessary security vulnerability.
03 Use Secure Usernames and Strong Passwords
Avoid using a weak password and common usernames to reduce the chance your site will be hacked by a Dictionary attack. Some firewalls have the ability to instantly block IP addresses that try to login with common usernames, ensuring malicious bots are instantly blocked from performing more login attempts.
04 Add Two-Factor Authentication
Two-Factor Authentication adds an additional step to the login process. After the correct username and password combination are used, a code will be sent to your phone via text message. After entering the code sent to your phone into the login screen, only then will you be able to access the site.
05 Limit Login Attempts
You can reduce the number of times users and bots can attempt to login after a certain amount of failed attempts. This can typically be configured in most firewalls configurations or is applied automatically.
06 Install an SSL Certificate
An SSL (Secure Socket Layer) Certificate is an online certificate that authenticates a website and allows it to pass sensitive information safely across the Internet. To learn more about SSL certificates, why not check out our article (written by one of the coolest guys I know!) dedicated to teaching you about SSL Certificates here.
07 Changing the Database Prefix
When a WordPress site is set up, there are default configuration options that prefix database names with ‘wp_’. So the options table would be called ‘wp_options’. Any default options on a site are what bots will target first. Changing the default wp_ database prefix to something unique is a quick and easy way to increase your site’s security.
08 Removing Inactive Administrative User Accounts
Not removing an administrative user that is no longer in use is just adding on to the chances of your site being hacked, especially if the user has a weak password and bad username.
09 Install a Firewall
Having a reliable firewall installed on your site is key to keeping your site safe from hackers. Firewalls will intercept traffic to your site before it reaches the site’s code. If the traffic looks like it’s up to no good, the firewall will block it.
10 Use Google Search Console
By monitoring Google Search Console you will receive alerts if Google detects that your website is hacked. This could negatively impact on your search engine visibility (SEO) in a big way. Without this, you may lose rankings and your website will appear in search results with a ‘This site may be hacked’ warning, discouraging users from even clicking through.
Any website holds some value to a hacker, even if your site is not managing thousands of user’s credit card details. They may want to add your site to their botnet, hold your site ransom, use your good reputation to trick your users into giving up personal information or deface your site with vulgar or controversial messages.
Preventing hacker’s bots from exploiting your site is a matter of keeping your site’s software up to date, having a reliable firewall installed and using good usernames and strong passwords. Meeting these requirements will drastically reduce the possibility of your site being hacked.
Here at Friday, we aim to keep our client’s sites safe by providing a highly secure, comprehensive SLA. The SLA is a monthly audit of the site where we perform updates on the core WordPress version and any plugins that have an update available, a review of the site to ensure the site is functioning correctly after the updates have been executed, the installation of Sucuri (a top-notch security system), as well as taking daily backups of the site’s code and database so should any unforeseen failures occur then the site can be rolled back to a working version without any major loss in data.