WordPress is probably the best thing that ever happened to many of us who are using it.
For those who don’t know what WordPress is – it is an open-source (free to use & modify) website building & content management tool – developed & managed by some of the most dedicated folks in the World.
But despite being such a powerful & popular CMS tool, it is also the most hacked.
According to statistics from 40,000+ popular WordPress websites, more than 70% of WordPress installations are vulnerable to hacking attacks.
WordFence, a popular WordPress security plugin once reported that there are over 90,000 attacks per minute on WordPress.
These stats are extreme & clearly indicates the importance minimizing your risks of getting attacked or -hacked!
If you’re serious about your WordPress website, stick to this article to understand some common WordPress security vulnerabilities & how to prevent attackers from targeting your website:
Common WordPress Websites Security Issues/Vulnerabilities
While WordPress is very secure & is audited regularly by top developers, hackers can still find a way to exploit weak security points.
Below are some commonly-used security exploitation attempts by hackers on WordPress websites:
SQL Code Injection Attacks
Every website has some open paths that hackers can exploit & use to inject malicious scripts to your database or core website files. Any WordPress website that fails to filter user-submitted data before processing & saving it into the database, is vulnerable.
Since WordPress uses MySQL language for database, SQL code injection attacks are the most common attacks on WordPress websites.
Such malicious scripts can be injected to your website through some common user-submission forms like:
- Contact Form
- Website Search Bar
- Comments Section
- Upload Documents
- User Registration
To avoid any kinds of script injections from these open paths, you would need to apply data filtration/validation on such forms.
Take this screenshot below for example, it rejects any other data than email:
This is how a data validation must be in place & working if you use any form or feature that allows users to submit information from the frontend.
If hackers found a way to inject any malicious data, then possibly they will further find a way to execute these scripts inside of your database & execute certain functions – eventually, you will be locked out of your WordPress website.
Brute Force Attacks
In general, a brute force attack means trying multiple & random usernames + password combinations until a successful combination is found.
Hackers create a database of some commonly used passwords & program automated scripts to attempt different combinations.
Did you know that “Brute Force” attacks have success rate of 10%.
If your WordPress login credentials are weak, there are high chances that these automated bots will finally crack a combination that works & breaks into your website.
File Inclusion Exploits
A file inclusion vulnerability allows attackers to include files on a web server through a browser. This exploit can occur when your website allows users to submit inputs into files (in file format) or upload files to the server but fails to sanitize the file before accepting.
There are two types of file inclusion vulnerabilites in WordPress:
- Local File Inclusion – When attackers find a way to read and sometimes execute files on a website’s server.
- Remote File Inclusion – When attackers find a way to submit a remote file in your web server
If you’re curious to know more, here is a detailed guide on WordPress file inclusion vulnerabilities.
Cross Site Scripting (XSS) Vulnerabilities
Cross-site scripting attacks are one of the most popular attack types on websites worldwide & pose major risks to both your business & its visitors/users.
Remember that these attacks do not take over your website, instead, a malicious piece of code is inserted as an additional element with your website into the browser – which is then executed & displayed to the user.
XSS attacks can harm your website visitors by showing them a link to malicious websites or misleading them with a contact form to steal their information.
XSS attacks are & most commonly used to:
- Take over user accounts
- Trick your website visitors into giving out personal data by showing them a misleading form
- Capturing login credentials
- Stealing session cookies
- Defacing websites
- Injecting trojans
- Showing disguised links to malicious websites
In WordPress, cross-site scripting (XSS) vulnerabilities occur mainly because of plugins & themes – so it is important to choose plugins & themes wisely & keep them updated.
Secure Your WordPress Website From Getting Hacked
While no technology is 100% secure & WordPress security team also works on improvising the security, as a website owner, you are also responsible to keep your website safe by following security best practices.
Below are some informative & actionable steps to prevent common security exploitations & attacks on your WordPress website:
Outdated Technology Puts You In Danger
Whenever any plugin, theme, or WordPress core update is released, it often comes with increased security by eliminating vulnerabilities & strengthening the code against malicious attacks.
Release notes are also pushed with the updates for users to read the information on what comes with the update, like feature enhancements, UX improvements, security & bug improvements.
Because attackers also keep an eye on these release notes – it could be sometimes useful for them to learn & exploit vulnerabilities that are available in the older versions (of plugins, themes, or core-updates)
Now you might have understood why it is important to keep the plugins, themes & core WordPress updated as soon as the updates are released – it reduces the risk of your website being attacked or compromised in some other way!
Plugins Can Become The Biggest Culprits: Use Them Wisely
Since plugins are a piece of code that adds functionalities to your website, some plugins have deep access to your website, so it’s vital to be careful with these culprits that may invite hackers.
Below are some security measures to keep in mind before you choose & use plugins:
Install Plugins Only When Required
Not all features that you think good are actually good, or required!
What happens with most WordPress beginners is that they try to integrate more & more features into their website – using plugins.
However, you are liking those features because you are new to WordPress & website building. Over time, you will realize that it is best to stick with minimal & simple features.
On the top of that, there are many cons to using unnecessary plugins.
Sometimes we end up installing plugins that are not frequently updated & maintained by developers. As we have already above in this article, plugins can cause many security vulnerabilities to your website.
Not to mention, the more plugins you use, the heavy your website will be – high loading time – negative effects on SEO.
Remove Inactive Plugins
WordPress websites with more inactive plugins are tempting target for hackers.
It is recommended to remove all inactive plugins as soon as you don’t need them anymore. This is because any of these unnoticed plugins can cause security exploitations – prevention is better than cure.
Don’t worry, you can reinstall it anytime you want in a fraction of minutes, but website security should be the utmost priority.
Verify Plugins Before Installing
Just because plugins are freebies does not mean they are worth using. It is very important to know your plugin before you install it on your website.
As we already discussed above, plugins have deep access to your WordPress website – and so is the importance of choosing plugins only from trusted developers & businesses.
Keep Plugins Up To Date: Enable Auto Updates
Outdated plugins are dangerous as the older versions might contain security flaws. It is important to keep your plugins up to date as soon as the latest version is released.
The best practice is to enable auto-updates for Plugins directly from plugins section in WordPress admin
Strict “NO” to Nulled or Torrent Themes & Plugins
What could be more foolish than using untrusted, nulled & torrented versions of plugins or themes on your website, just because you get premium benefits at no cost?
Such pirated products are primarily used to distribute malwares & contain malicious scripts.
Since plugins & themes have deep access to your WordPress core directory & database, installing their torrent versions means nothing useful but inviting hackers by yourself to gain access to your website.
These pirated plugins/themes can also contain scripts to steal information from your website – which then could be circulated on the dark web.
Securing a website isn’t a joke. Your website is like a folder available on the internet that you need to protect from unwanted/unauthorized access that can get deep into this folder, i.e into root files.
Use strong & unique passwords at vulnerable areas
Using weak passwords make your website prone to brute force attacks, so it is important to create strong and unique passwords that minimize this risk.
A strong password consist of:
- At least 10 characters
- Uppercase & lowercase numbers
Using a complex combination of different characters create a strong password.
WordPress also has a strong password generator – go to profile section in users from the left navigation & click on “create new password”
You will also find a password strength indicator there.
It would be a good practice to use such strong passwords at every step & potential areas that connects with your like:
- WordPress user account
- FTP accounts
- WordPress database password
- Your hosting account
- Primary / Secondary Email addresses
Avoid Commonly Used Demo Usernames
Hackers create automated bots/scripts to commit scans on the internet & attempt brute-forcing. When these bots find a WordPress admin login page, they start guessing numerous usernames & passwords combination until they guess the best.
Using commonly used usernames (as well as passwords) makes your WordPress website one step closer to a successful brute force attack.
Keep usernames that are hard to guess & avoid using commonly used ones like:
Use security bridges (Firewall) to protect the WordPress admin area
To keep attackers away from brute-forcing or compromising your website security in other ways, it is recommended to create a strong firewall that prevents access of unauthorized traffic to your WordPress login panel, below are some ways to do it:
Change Default WordPress Access URL
By default, WordPress websites use the URL string: www.yourwebsite.com/wp-admin to log in inside the WordPress admin area.
But using this default URL to access the admin area makes your website one step closer to getting attacked.
C’mon, they are hackers! This is the basic thing we need to protect from them because they are well aware of this.
One quick way to secure this stage of your WordPress website is by using WordPress security plugins.
Almost every WordPress security plugin has this feature to change custom login slug
Be Cautious: It’s common to get locked out of your website if you try changing the login page slug. I would recommend you shoot an email to your hosting provider first & let them know what you are about to do.
Password Protect Admin Directory
If you don’t want to change the default WordPress access URL “wp-admin”, then you should password protect this directory from your hosting cPanel.
Just login to your cPanel account & locate the Directory Privacy icon. From here, the password protects the directory “wp-admin” & saves changes.
Password protecting this directory adds one more layer of authentication before logging in to your WordPress panel.
Enable Two Factor Authentication
Two Factor authentication is an ultimate firewall every WordPress should use.
Many times, hackers manage to steal your exact login credentials. In such a case, using a two-factor authentication help you minimize the security risks.
Even if someone has the right credentials, they can’t log in to the admin area until a second code is provided to successfully log in.
You can enable two factor authentication based on many factors, some most common approaches are:
- OTP via Email or SMS
- Security Questions
- QR Code Authentication
- Push Notification on Other Devices
Two popular plugins for two-factor authentication are Google Authenticator & miniOrange 2 Factor Authentication to secure this vulnerability.
Limit Login Attempts
You can use a plugin to limit the number of wrong password attempts to secure yourself from brute forcing.
It’s not just WordPress, but any other open source resources are vulnerable to all sorts of attacks.
As a WordPress website owner, you should know that in addition to WordPress’s own core security, you have to take some security measures to keep hackers & malicious scripts/bots away from your website.
I would also recommend you read this article – Try Hacking Your WordPress Website Before Hackers Do! – to dive deeper into WordPress security best practices by implementing some advanced security tactics on both WordPress core as well as server files.
I hope the article helped you understand some of the WordPress website security exploitations & how you can prevent them.
Did I miss something to add? What do you think is the most effective way to secure your WordPress website & keep hackers away?