You’ve seen news of WordPress data breaches or hacked websites hosted on WordPress emerge as regularly as clockwork. A quick check of the CVE Details database can reveal plenty of WordPress vulnerabilities yet unsolved or partially solved. But, as a layman (as in, not a security researcher yourself), it’s hard to understand how serious each is or isn’t.
Then there is the news of big breaches. Valuable data is obtained by hackers by attacking websites through these exploitable vulnerabilities. Huge names regularly make the headlines when their WordPress-based website gets breached.
Within this landscape, what can you do? Start from designing more security, of course. But furthermore, always stay informed about the main cybersecurity dangers of WordPress websites and how to avoid them. Here is a brief guide on what you need to be aware of.
The Top 7 Cybersecurity Dangers for WordPress Websites to Be Aware of
According to WP White Security, if we take a look at the top 1 million websites as ranked by Alexa, over 70% of them have vulnerable WordPress installations. They either have not updated their WordPress version to a newer one or have faulty (or even malicious) plugins installed.
This is sadly a reality in spite of the fact that most of these websites also have WordPress security plugins installed. Having one of these maybe not just ineffectual, but might even make things worse, as they lull users into a false sense of security. With these kinds of numbers, it’s no wonder that WordPress is a hacker’s paradise.
Here are just a few WordPress vulnerabilities that have been exploited and will be again, in all likelihood.
#1. Vulnerable Plugins and Themes
According to the WP Scan org., vulnerable themes account for 11% of all WordPress vulnerabilities, while faulty plugins make up for another whopping 52%. Since WordPress is such a popular platform, countless plugins and themes are created and released for it every week.
It’s nice to have so many to choose from, as a WordPress user, but many such add-ons are just more opportunities for hackers to find a vulnerability. As soon as they find something they can exploit in a plugin or a theme, they can use it to gain access to the rest of the website as well.
#2. Authenticated File Delete
This is a more recently reported vulnerability, not yet resolved. According to WordPress, [the researcher] “Karim El Ouerghemmi discovered that authors could alter metadata to delete files that they weren’t authorized to.”
Needless to say, this can wreak havoc inside an organization, by directly damaging its precious data, brand, and assets.
#3. User Activation Screen Search Engine Indexing
This vulnerability is capable of exposing emails and default generated passwords to search engines. If a hacker knows where to look, they can uncover highly sensitive info from this in no time.
#4. Brute Force Attacks
WordPress websites are still seen by attackers as a relatively easy target, and the rewards include not just personal data of users and other assets, but also the transformation of the websites into a portent for spreading the malicious message further. Therefore, brute force attacks still happen regularly towards WordPress websites, and they work.
If a malicious bot tries out enough password combos, at some point they will hit the jackpot. Considering that stolen credentials are also for sale on the dark web and that people tend to reuse their passwords with minor variations, it’s no wonder that brute force attacks still work.
#5. SQL Injections
SQL injections are also one of the most common cybersecurity vulnerabilities of WordPress websites, unfortunately. There are still many ways for attackers to exploit WordPress websites through SQL injections, mainly through the numerous 3rd party apps and plugins which come with their own vulnerabilities.
#6. Cross-site scripting
Cross-site scripting attacks are a type of injection that can turn a benign website into a malware-distributing machine. Alternatively, a cross-site scripting attack can hijack the message and purpose of that website completely. Unfortunately, WordPress websites are particularly vulnerable to cross-site scripting (XSS) attacks.
#7. The malware injected into files
Files uploaded to WordPress websites are easily accessible, and it is also easy for attackers to load their own files to a WordPress platform. This allows quite an important gateway into your website’s systems, by injecting the files with malware which can then spread.
How to Protect Your WordPress Website Security: Cover These Basics
A breach in your WordPress security might not be a matter of if, but when.
Sadly, no one is entirely immune to cybersecurity breaches, but we can all make is so difficult and expensive for would-be hackers to do it that they just give up.
That is the guiding principle of all cyber-defenses: while there’s no such thing as an unbreakable barrier, you can work to make the costs outweigh the incentives (for would-be breachers).
Here is how you can start building this strong wall of security for WordPress.
A. Cybersecurity Advice for Consumers with a WordPress Site
If you have a WordPress website, don’t worry, there are still ways you can secure your operations on it. Here is what you need to do or pay attention to.
#1. Don’t rely on WordPress security plugins
There are several WordPress security plugins that you can buy and install separately in order to boost your website’s defenses. While I don’t want to dismiss the entire category of them, I would strongly encourage you not to rely on those alone.
It’s a much better idea to have specialized security software in place (more about this below).
#2. Set strong passwords and change them every now and then
Avoid brute-force attacks by setting strong passwords and by limiting the maximum number of login attempts. Change passwords regularly, but not in a predictable way (as in, for example, every 3 months like clockwork).
#3. Keep an organized record of other users
Make sure you don’t lose sight of what other users have access to your website. Avoid sharing user accounts and instead create separate user profiles. Enforce the same principles of prevention with the rest of the people you collaborate with (changing passwords, etc.).
#4. Don’t install plugins on your WordPress website, unless absolutely necessary
Be circumspect about new WordPress plugins. They are very often the entry point for malware and breaches. Make sure you only trust plugins which have been thoroughly checked by experts, which receive frequent updates and which are absolutely needed for your work.
#5. Have a strong cybersecurity solution on your device
You need a good Antivirus and a DNS filtering tool in place. Beyond this, make sure you keep up to date with how the latest attacks work so you know how to avoid them. Education is the best prevention.
Try to limit work on your website to the protected device(s) only.
B. Cybersecurity Advice for Small Businesses with a WordPress Site
If the WordPress website you aim to protect is part of your business, then you need to take even better care of your cybersecurity defenses.
#1. Configure strong password policies for your WordPress website
It’s not enough to simply tell people on your team to set strong passwords and remember to change them every now and then. You should push this as a mandatory/automatic request via group policy configurations.
#2. Never install WordPress plugins that are not vetted by trusted security experts
Since you’re an organization and not an individual blogger, your website is an even juicier target for hackers. You have more to lose by leaving your systems unsecured, so don’t take any decision to install 3rd party WordPress plugins lightly.
#3. Manage privileged access right for all employees
Follow the principle of least privilege and only give people the access they need do to their work. Elevate users to admin rights only temporarily, when needed for a software install and so on. If your organization has more than 2-3 users, consider investing in a reliable privileged access management (PAM) software to make the life of your sys-admins easier.
#4. Whitelist a small number of applications and make all others pending approval
Don’t allow your network users to install whatever they like on their workstations. Some apps can help attackers gain a foothold into your system, in order to infect your WordPress website as well afterward. Make only a small handful of absolutely necessary software and apps whitelisted. In order to install others, users (with limited privileges, of course) need to gain approval from an admin. The PAM software mentioned above can help with that, too.
#5. Have a multi-layered cybersecurity approach in place
With countless WordPress breaches making the headlines regularly, it’s pretty clear that you need some stronger defenses. Invest in a multi-approach cybersecurity suite for your business (a strong AV, a DNS filter and so on), and your assets (website-bound and beyond) will be better protected.
Final thoughts
WordPress security is a bit of a paradox, all in all. The team at WordPress is working relentlessly to secure the platform and taking all steps within its power to make the hosted websites be safer. Security updates and tweaks within the platform itself have pushed automatically, for example (as mentioned above).
But at the same time, the WordPress platform also seems to be especially vulnerable to grand breaches. It’s super-secure in the little things, but when things crash and burn, they crash and burn. You shouldn’t leave your WordPress website security solely in the hands of the platform’s updates.
About the author: Miriam Cihodariu is an anthropologist turned marketing professional, an avid reader of fiction and an enthusiast of world cuisines. She currently serves as Communications and PR Officer for Heimdal Security, a fast-growing cybersecurity brand with a wide range of next-gen cybersecurity tools for consumers, small businesses and enterprises.
With Crowdfire, you can find curated content, schedule your posts, engage with your audience, deep-dive into analytics and create custom reports. Try it for free.