WordPress Common Security Vulnerabilities
What happens if you ignore all the stats and do nothing to secure WordPress? It turns out that a lot of things can go wrong very quickly, so here are the most common ways that hackers will use to gain access to or crash your WordPress site that you should deal with now rather than later.
Brute Force Login Attempts
One of the most basic forms of attack is brute-force login attempts. This is when hackers use automation to quickly enter multiple username-password combinations and eventually guess the correct credentials. Brute-force hacking is able to access password-protected information in any form, not just logins.
Cross-Site Scripting (“XSS”)
The XSS attack is next. This attack is when an attacker injects malicious code into the target website’s backend to extract data and cause havoc. You can either insert the code in the backend using more sophisticated methods or simply submit a response to a user-facing page.
Database Injections
This attack is also known as SQL injection. An attacker submits harmful code to a website via user input, such as a contact form. The code is then stored in the website’s database. The website then stores the code in its database, just like an XSS attack.
Backdoors
A backdoor is another common attack. Backdoors are files that contain code which allow an attacker to bypass WordPress’ standard login and gain access to your site at any moment. Backdoors are often hidden among other WordPress source files making it difficult for inexperienced users to locate them. Even after the backdoor is removed, attackers may create variants and continue to use them to bypass your login.
WordPress limits the file types that users can upload in order to minimize the risk of backdoors. However, it is important to protect your website from such attacks.
Attacks on Denial-of Service (DoS).
Next comes a more common attack: the Denial-of Service attack. These attacks block authorized users from accessing their websites. DoS attacks involve overloading servers with traffic and causing crashes. Distributed denial-of service attack (DDoS) is a DoS attack that involves multiple machines attacking a single server.
Phishing
Phishing is something you might be familiar with. Phishing is when an attacker pretends to be a legitimate company or service to contact a target. Phishing attempts often prompt targets to provide personal information, download malware, or visit dangerous websites that could cause harm to their computers. An attacker could access your WordPress account and coordinate phishing attacks against your customers, posing as yourself. It’s not good for your business reputation, as you can see.
Hotlinking
Hotlinking is when another website owner links to an image hosted on another site instead of uploading it to their server, makes the content appear like it’s theirs. This can result in bandwidth theft, decreased page load times, and could have a negative impact on your SEO. There are security plugins available that can detect and prevent hotlinking, or inline linking, from happening. As always make sure you do your research before you just start installing new plugins, there are potential performance implications there as well. It is additional code after all, and if not coded correctly or extra steps taken to ensure they only load when they are needed, extra code execution when not necessary can be very costly to page load times. As if the hotlinking was not bad enough right?
Plugins: The majority of WordPress security vulnerabilities are caused by third-party plugins. Some plugins can be great add-ons to your site, but they are not essential. Be aware of their potential dangers. Hackers can easily access plugins because they are created by third-parties and have access to the backend of your website.
Again, for the most part, it isn’t you, your business, or your site specifically that the hackers care about. Hackers are typically targeting the software or plugins that are used on your website.
Old WordPress versions: WordPress releases updated versions occasionally to fix security flaws. Hackers often target vulnerabilities in older versions of WordPress when they are fixed. This issue can be avoided by updating your website regularly.
The login page: By default, the backend login page of any WordPress website is the main URL. Add “/wp_admin.php” or “/wp_login.php” to the end. An attacker can find this page easily and attempt to enter brute force. You can reduce the chances that hackers will correctly guess your passwords by making them varied and complex.
Themes: Your WordPress theme can make your site vulnerable to cyberattacks. Old themes can be incompatible with the latest version of WordPress. This allows easy access to your source code files. Many third-party themes don’t follow WordPress’ code standards, which can cause compatibility issues and other vulnerabilities. Do your research before adding a theme or plugin to your website.
Now that we’re done with that, let’s talk about how you can minimize the risk of a cyberattack against your WordPress site.
How to Secure Your WordPress Website
While there is no guarantee that you won’t experience an issue, the chances of you having one are much lower if you follow these best practices. These best practices can be applied to all websites (e.g. strong passwords, two-factor authentication and SSL), but others are specific to WordPress websites (e.g. using secure themes and plugins).
It is essential that you follow the best practices to ensure safety on your site. Let’s start with the basics. We’ll then share additional steps that you can take to ensure your site’s safety if your site is at particular risk.
- Secure your login procedures.
This is the first step to ensure your website is secure. Protecting your accounts from malicious login attempts is the most important step in protecting your website. This is how you do it:
Use strong passwords. Strong passwords are essential for all users who have access to your WordPress website’s backend. Any one user could be in trouble if they use a weak password. One of our suggested password managers might be a good choice to help you generate strong passwords and keep track.
Enable two factor authentication This is one of most efficient and simple ways to protect your login. This is how you add two-factor authentication to WordPress.
Avoid giving any account the username “admin”. This is because it is most likely that attackers will use Admin to log in during brute force login attempts. You can create a new administrator account using a different username if you have already created this user. We also recommend automatically blocking any IP address that attempts to login with the admin username.
Limit login attempts: You can protect your site by limiting the number of times that a user can use the wrong credentials. The CMS will block people from logging in more than once, which prevents brute-force logins. You might be able to have this done by firewalls or hosting services, but you could also use a plugin such as Wordfence or iThemes.
Add a Captcha: This security feature is common on other websites. These captchas add security to your login by verifying you are a real person. You can add a captcha plugin to your website.
Enable auto logout: Last but not least, be vigilant about log out, especially if your computer is public. If you forget to log out, auto-logout will prevent strangers from accessing your account. The Inactive Logout plugin can be used to enable auto-logout in WordPress.
- Secure WordPress Hosting
Let’s now discuss the role of your hosting provider in WordPress security. There are many things to consider when choosing a hosting provider for your website. But security should always be the first priority. To find out more about the company’s security measures and how they recover from an attack, do your research. We would recommend checking out Kinsta and WP-Engine, we’ve had great experiences with both providers.
- Upgrade your WordPress version
Older versions of WordPress software are a big threat. This issue can be avoided by regularly checking for updates and installing them as quickly as possible.
First, make sure that you take a backup of your website and verify that your current plugins have been tested against the latest version of WordPress.
- Upgrade to the most recent version of PHP.
For WordPress security, upgrading to the latest PHP version is a must. WordPress will notify you via your dashboard when an upgrade is available. Some hosting providers will let you test PHP version upgrades before making the update to your live site. We highly suggest you verify the new PHP version doesn’t cause any conflicts or impact user experience. If you do not have access to your hosting account, contact your web developer to ensure all updates and maintenance are taken care of. If you do not have a developer and are not sure how to perform the upgrade, just reach out and we will be more than happy to get the required updates and testing taken care of for you.
- Install one or more security plug-ins
WordPress website security is something you can do on your own, but you don’t need to. You can use a security plugin, we recommend doing your research before you install any plugin. We would recommend that you install one or more trusted security plugins on your site. (Emphasis on trusted!)
These plugins take care of most security-related manual tasks for you. They scan your website for possible infiltration attempts, alter source files that could make your site vulnerable, reset and restore WordPress, and prevent content theft such as hotlinking. These plugins are trusted and can cover most of the items on the list.
No matter what plugin you choose to install, whether they are security-related or non-security-related, ensure that they are legitimate and well established. You can also download any other plugins at your own discretion.
- Secure WordPress themes are recommended.
You shouldn’t install any questionable plugins on your website. Resist the temptation to choose any WordPress theme that just looks cool. Why you ask? It could actually make your site more vulnerable to serious issues. Choose a WordPress theme that conforms to WordPress standards to avoid vulnerabilities.
Copy your URL to your WordPress website (or any WordPress site URL) and paste it into W3C’s validator. If your theme is not compatible, you can search for a suitable theme in the official WordPress directory.
- SSL/HTTPS.
SSL (Secure Sockets layer) is the technology that encrypts the connections between your website’s web browsers and those of your visitors. This ensures that your visitors’ traffic is protected from unwanted interceptions.
WordPress users can choose to either manually set up SSL or to use a plugin. It will not only improve SEO but also make your website more appealing to visitors. Google Chrome will warn visitors if a site isn’t following the SSL protocol. This directly affects website traffic.
Visit your WordPress website’s homepage to see if your site uses the SSL protocol. Your connection is secure if your homepage URL begins with “https ://”” (the “s”) in the URL. You will need an SSL certificate if your URL starts with “http ://”,”.
- Install a firewall
To protect your WordPress website, we recommend installing a Web Application Firewall plugin. Before you make your decision, consider carefully which firewall and plugin is best for you. We recommend Wordfence or Sucuri based on our experiences.
- Backup your website.
Being hacked is a very stressful experience. If you lose all your data, it can be even more distressing. You can prevent this from happening by making sure that your WordPress website is backed up regularly with a plugin or via your hosting provider. We would recommend BlogVault given our experiences, easy to use with a one click restore option. Backups should be done frequently and automatically, given the nature of your site there are options to backup in-flight e-commerce transactions.
- Regular WordPress security scans are recommended.
Last, but not least, we recommend that you conduct routine checks on your website. This can be done a number of ways but we would recommend an automated scan with a notification going to an administrator or developer that can take immediate action. Remediation immediately following detection of malware may just save you a lot of time and money.
After you have completed these steps, you can move on to the more advanced security measures for your WordPress website.