WordPress is a safe content management system. However, it can be vulnerable to attacks just like any CMS. Therefore WordPress website security is an incredibly important issue to consider.
As WordPress is the the most popular CMS ( almost 43% of websites are WordPress) it also means that WordPress websites are a popular target for cyberattacks. , a firewall service named Wordfence firewall blocked a massive 18.5 billion password attack requests on WordPress websites in its WordPress security report.
WordPress is open-source software, meaning that the source code is available for anyone to modify and distribute. Being open-source, WordPress is infinitely customisable and optimisable. There are thousands of themes, plugins, and developers with the skills to modify the backend code themselves. This flexibility is a defining feature of WordPress, and a huge part of what makes it so powerful and widely-used.
The negative to all this flexibility is that an improperly configured or maintained WordPress website is prone to a range of security issues. WordPress offers a lot of power to its web developers and users, and with great power comes great responsibility. Unfortunately this is a responsibility that many website owners are avoiding. Hackers and the unscrupulous know this and target WordPress websites accordingly.
WordPress Website Security is risk reduction
WordPress security…is risk reduction, not risk elimination. Perfect security simply doesn’t exist, especially online.
What you need to ensure is that you employ all the appropriate controls available to you, within reason. This way you can reduce the odds of making yourself a target and subsequently getting hacked.
You can never guarantee complete immunity to online threats, but you can take steps to make them much less likely to occur. In summary, WordPress is secure, but only if its users take security seriously and follow best WordPress practices.
WordPress Security Issues
Can you choose to do nothing about WordPress Website security and if you do are there any implications. If you choose to do nothing to secure your WordPress site there are many implications. The most common types of cyberattacks on WordPress websites are listed below:
Brute-Force Login Attempts
- Brute Force logins are one of the simplest types of attacks.
- A brute-force login occurs when attackers use automation to enter many username-password combinations very quickly, eventually guessing the right credentials.
- Brute-force hacking can access any password-protected information, not just logins.
- This is why you should never have a user name of “admin” and a password that’s “password”
Cross-Site Scripting (XSS)
- XSS occurs when an attacker “injects” malicious code into the backend of the target website to extract information and cause havoc on the functionality of the site.
- The malicious code could be introduced in the backend by more complex means, or submitted simply as a response in a user-facing form.
- This happens when an attacker submits a string of harmful code to a website through some user input, like a contact form.
- The website then stores the code on its database.
- Similarly to an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.
- This type of attack is also known as a SQL injection
- A backdoor is a file containing code that lets an attacker bypass the standard WordPress login and access your site at any time.
- Attackers tend to place backdoors among other WordPress source files, making them difficult to find by inexperienced users.
- Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.
WordPress does restrict what file types users can upload to reduce the chance of backdoors, though it’s a problem to be aware of.
Denial-of-Service (DoS) Attacks
- These attacks prevent authorised users from accessing their own website.
- DoS attacks are most frequently carried out by overloading a server with traffic and causing a crash.
- The effects are worsened in the case of a distributed denial-of-service attack (DDoS), a DoS attack conducted by many machines at once.
- These attacks make the headlines when banks or major online retailers are unable to deal with online enquiries
- When an attacker contacts a target posing as a legitimate company or service, this is known as phishing.
- Phishing attempts typically prompt the target to give up personal information, download malware, or visit a dangerous website.
- If an attacker accesses your WordPress account, they could even coordinate phishing attacks on your customers while posing as you.
Hackers need Holes
For the above to occur, hackers need to discover holes in a WordPress website security. The most common vulnerabilities that hackers are looking for when targeting WordPress websites include:
- Plugins: Third-party plugins account for the majority of WordPress security breaches. Since plugins are created by third parties and have access to the backend of your website, they’re a common channel for hackers to disrupt your site’s functionality.
- For this reason plugin selection and maintenance is critical
- Outdated WordPress versions: WordPress sometimes releases new versions of their software to patch security vulnerabilities. When fixes come out, the vulnerabilities become public knowledge, and problems with old versions of WordPress are often targeted by hackers. For this reason once we know that a new WordPress version is suitable we apply to all sites
- The login page: The backend login page for any WordPress website by default is the site’s main URL with “/wp-admin” or “/wp-login.php” added to the end. Attackers can easily find this page and attempt a brute force entry.
- Two key elements to consider
- User name – should always be unique and avoid using “Admin” or “User” as user names
- Password – by default WordPress will create a very secure password. Including random letters, numbers and symbols, which would be very difficult to crack. It is important that any users, editors or managers do not swap their complex password for a simpler more crackable password e.g. a1b2c3d4
- Two key elements to consider
- Themes: WordPress themes can be a weakness and open your site up to cyberattacks. Outdated themes may be incompatible with the most recent version of WordPress, allowing easy access to your source files. Many 3rd party themes do not follow WordPress’ standards for code, causing compatibility issues and similar vulnerabilities. When designing and building websites we have a theme that meets all WordPress requirements.
WordPress Website Maintenance
To minimise the risks to your website your website should be regularly maintained. Regular monthly maintenance to update the plugins and themes does need to be done on a specific day, as updates are being continuously made throughout the month. By regularly monitoring the websites you can ensure that the websites stay up to date and secure as possible at all times. For instance, Yoast SEO was updated three times last month. Maintenance is not only to do with updating plugins, it should encompass additional items. The following are some typical issues found during monthly maintenance .
- Are all external resources working correctly
- Are forms displaying correctly and all placeholders showing.
- Are there any plugins that are classed as abandoned that haven’t been updated for a long time. These can lead to security issues if they are not maintained and also, may not function correctly with the latest versions of WordPress. Ideally should be replaced with an alternative.
- Are plugins up to date sometimes plugins like Yoast SEO are updated multiple times in a month
- Are PHP versions up to date or outdated
- Old themes should be removed – ideally there should only be a maximum of two parent themes, and if used, a child theme. So if your website has themes 2015, 2016, 2017, 2018, 2019, 2020, still installed then be aware
The Benefit of WordPress Website Security
WordPress is a great platform, but if you wan to keep the hackers at bay then you need to make sure that your theme, plugins and PHP are kept updated. The complexities and intricacies of the plugins means that they need to be updated professionally.
If you would like to know more about WordPress Website Security contact Andrew Goode MBA, MSc, FCIM Click here to arrange a call
Other articles linked with marketing metrics that may provide additional insight. Marketing metrics and analytics, marketing ROI Planning , marketing revenue analytics and Marketing Measurement Metrics and Website Design