WordPress Security Vulnerabilities
There are over 1.5 billion websites on the internet today and 30% of them are powered by WordPress. That’s over 450,000,000 WordPress websites and counting. You may be asking yourself, “How fast is the WordPress market share increasing?”. A whopping 50,000 new WordPress websites are launching each day and over 22 billion pageviews a month are served by WordPress sites.
WordPress is by far the most popular content management system (CMS) in use today. When only looking at websites that are powered by a CMS platform, WordPress holds 60% of the market. Joomla is the second most used CMS with a meager 6.3%, followed by Drupal with 4.8%, Magento with 2.7%, and Blogger with 2.5%. It’s safe to say that WordPress is dominating the CMS market and is forecasted to remain the reigning champion.
What does this all mean?
With WordPress’s massive numbers, it’s a HUGE target for hackers. WordPress, just like any other software, needs to be updated. The number one thing anyone can do to safeguard their website is to keep the WordPress platform and plugins up to date. Sounds simple right? It is, but many people often neglect this process for one reason or another. An outdated WordPress site is extremely vulnerable.
Why would anyone hack me?
Often, people have the mindset of “I don’t need to worry about hackers because I have a tiny website and why would anyone want to harm me?”. Most hackers are not usually singling out one specific website to compromise. They are casting a wide net and taking down as many websites as they can, in one fell swoop. Hackers don’t care how small a website is or how much traffic it receives, they will go after the largest target and focus their time and energy into the biggest payout. Once a vulnerability is discovered, the hackers go to work compromising, defacing, or completely deleting websites. If your WordPress site is out of date, then you need to take action to ensure your website is updated and secure.
Case and point
In February of this year, hackers found a content-injection vulnerability within the WordPress core files and thousands of websites were hacked before anyone knew there was a problem. WordPress quickly patched the vulnerability with version 4.7.2. Since updating the WordPress Core files is often neglected, many websites were left out of date. Hackers rushed to compromise the remaining websites that were without the security patch. Many outdated websites have been repeatedly hacked and defaced by mutable hackers. These websites will continue to be hacked over and over again until the sites are updated. To date, over 1.5 million websites have been hacked due to this single content-injection vulnerability.
What can you do?
Only around 40% of WordPress sites are up to date, which means 60% of WordPress installations are vulnerable to hacker attacks. If you have a wordpress website, it is very likely that it’s out of date and at risk. You have two options to keep your site safe and un compromised. The first option is to log into your WordPress website and apply the updates yourself (and do it often). The second option is to hire a reputable company that will provide this service. For under $20 a month, you can find a company who will keep your website updated and protected and send you monthly reports on the work completed.
In addition to keeping your WordPress platform and plugins up to date, here are four additional steps you can take to further secure your website:
1. Backup. Backup your WordPress site and database often by downloading the backup files and storing them offsite. A backup on your server is useless if a hacker wipes out the entire server space.
Pro tip: Install the WordPress plugin Duplicator. It’s a great free tool for backing up your website files and MySQL database. Use Dropbox to store all of your backup files. Your backups will be safe and secure on their cloud servers. Also, your hard drive will thank you.
2. Monitor your files: When a WordPress core file changes unexpectedly, you need to take action. This is a tell-tale sign that your site was compromised. Knowing when a file change happened is very hard to keep track of manually.
Pro tip: Wordfence is a great free plugin that will scan and alert you when a change happens. Many issues can be fixed within the plugin with a few clicks of your mouse.
3. Implement a lockdown feature: Brute force attacks are a huge WordPress security vulnerability. When enabled, you will get notified whenever there is a brute force hacking attempt. The site will lock down and the hackers attempt will be terminated.
Pro tip: Use iThemes Security for brute force/lockdown to ban an attacker’s IP address after a certain number of failed login attempts. iThemes Security is also packed with many great features that will keep your website secure.
4. Change your Login/Password. Avoid using the default WordPress login “admin”, hackers know this and use it to their advantage. Using an email address as the username is a superior option. When creating a password you obviously, don’t want to make it “password.” A strong password should contain 12 to 14 characters, including lowercase and uppercase alphabetic characters, numbers, and symbols. For example: “oi2#($.1-Dvmfk” is a very strong password. It would take an extremely long time for a hacker to crack that password using brute force methods.
Pro tip: Use a third party password manager like LastPass to securely store and use your complex passwords. Never write down your password.