All you need to know about WordPress Security!
Without hesitation, WordPress is one of the best Content Management Systems (CMS) on the market. With over 20% of the whole web running on WordPress - it’s clearly the most popular one, too. I’m pretty confident that at least half of your friends know what WordPress is, even if they barely know how to use computers.
Popularity is not always a good thing, especially when we are talking about security.
Simplicity breeds carelessness
Thanks to the plug-ins/add-ons that are developed by WordPress community, it’s pretty easy to get some extra features on the site as well.
For example: Many websites need a more advanced form or good looking gallery, neither is a default feature in WordPress. To add this feature, one just needs to install one of the available contact-form/gallery plug-in’s from the administration panel.
Now begins the difficult part: you are searching for “Contact Form” from WordPress plug-ins directory and you need to choose 1 plug-in from 218 pages of results.
Officially WordPress have 49 374 available plug-ins to extend the functionality. This is because plug-ins can be developed by anyone and everybody can add their creation to WordPress plug-in’s directory for others to use.
Anyone can create their plug-in which, by definition means that some will be poorly written. Automating the review of thousands of new plug-ins is a complicated task for a whole lot of reasons, and even with a sophisticated review system some errors might go undetected.
Outdated WordPress — easiest prey for mass-hacking
WordPress Core, Themes and Plug-ins contain over 6500 disclosed vulnerabilities. When a vulnerability affects the core of WordPress or any of the popular plug-in or theme — it means that every website with the same version of this software is potentially also vulnerable to the attack.
Latest examples (as of march 2017):
“Researchers find “severe” flaw in WordPress plugin with 1 million installs”
“1.5m unpatched WordPress sites hacked following vulnerability disclosure”
This is why WordPress is a very attractive platform not just for developers and bloggers, but for ill-intentioned hackers, too. It has never been easier to host a phishing site or create back-links to scam sites. Hacked WordPress sites have been even used for infecting visitors with ransomware and websites attacking websites is a sign that things have gone too far…
It is so easy that most of the “what we used to call hacking” has already been automated with malicious bots. Outdated websites can be automatically harvested to spread malicious software.
The overall state of website security in 2016
“We’ve seen an increase in the number of hacked sites by approximately 32% in 2016 compared to 2015. We don’t expect this trend to slow down. As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites.” — Google
When we started working on WebARX early 2016, we soon discovered that the main challenge was not about the technical solution, but one of communication and awareness issue. We notified thousands of hacked websites owners, cleaned up and patched a large amount of WordPress, Joomla! and other CMS based sites before protecting them from future attacks. What we learned is that most of the websites owners understand the problem and risks only after the first incident.
The most regular question from the owner of a website (with 34 different plug-ins installed each with multiple known vulnerabilities) remained: “Why would anyone ever hack my worthless small website?”
The fact that no immediate financial gain could be achieved by hacking your website doesn’t mean it is protected in itself. Ill-intentioned hackers could go after it (automatically, without ever seeing it) to have it become part of their botnet. Others just like the challenge or want to compete on websites such as zone-h to be the one who hacked the most websites today.
How to keep your website protected and your visitors safe
- Update, Update, Update… Regularly update everything you can. The plug-ins, themes and core. If possible, turn on automatic updates!
- Yes, brute-force is still a thing. Use an extra layer of security on your login forms like 2FA, ReCaptcha or software that can detect and block brute-force attempts. Set a custom login page URL, Delete the “admin” account and use a passphrase rather than a password. I would personally encourage you to use a password manager such as KeePass.
- Don’t install too many plug-ins, delete everything that is inactive and while selecting the necessary, make sure they are trusted. (Google their name and version).
- Install a website protection solution. Some vulnerabilities are not yet disclosed and only in the hands of ill-intentioned hackers who are using them. In this case a firewall or Intrusion Detection System (IDS) is a 100% must-have! Some of the popular choices: Sucuri (multiplatform), Wordfence (WordPress only) and I can personally get you a Free trial of WebARX (multiplatform, with external monitoring)
- Keep backups!
- Get SSL!
PS: Web developers, make sure to talk about the risks when creating a website for your clients. Offer maintenance and monitor all your existing clients.
TLDR;
The number of websites hacked in 2016, compared to 2015, increased by 32%! Outdated Content Management Systems (CMS) and plug-ins are the most common reasons why sites get hacked.
Today, most of the attacks are automated and even if you think that your website is not worth a hacker’s attention - it is still constantly scanned by bots and can create $ for the attacker.
“ As always it’s best to take a preventative approach and secure your site rather than dealing with the aftermath. Remember a chain is only as strong as its weakest link.” — Google
Keep your website protected, keep your visitors safe and lets reduce the amount of hacked websites in 2017! #NoHacked
For more technical information about WordPress vulnerabilities, read this: https://blog.ripstech.com/2016/the-state-of-wordpress-security/
