WordPress Security: A Complicated Matter
WordPress is the most popular website creation software in the world, with over 27% of the internet being powered by the service. It’s a powerful open source tool, used by everything from small hobbyist blogs to some of the biggest sites on the web. (read: Bloomberg, BBC, Variety) However, even with the constant security updates and loads of support, security is still a big concern. WordPress powers a massive section of the web, and by extension is a big target for hackers. In 2012 alone, over 170,000 WordPress sites were hacked. This post will describe what it means to be “hacked,” what actually happens when you are “hacked,” and how to prevent it.
Why would a hacker want to gain access to my site?
One very common misunderstanding is that hackers will only want to hack into large sites like CNN. This is far from the case. Hackers are not looking to hack large websites as much as they are looking to hack as many websites as possible. This means that any website that presents an opening, they will take, whether it be a small hobbyist blog or large corporation. There are multiple reasons a hacker might want to get into your website:
- To send spam or malicious emails using your email address
- To gain access to your data, ie: passwords, credit card info, etc.
- To install malware on your visitors’ computers
- To redirect you to another website
If your browser detects that any of these tactics are in use on the website you are attempting to visit, a message similar to this may pop up:
Why are WordPress hacks so common?
WordPress is an incredibly popular service, as stated above. This makes it a very lucrative opportunity for malicious hackers, as they could potentially hack millions of sites with just one vulnerability. This vulnerability can come in many different forms, whether it be a vulnerability in WordPress core, plugins, or themes.
How do WordPress sites get hacked?
Being “hacked” is one of the scariest experiences one can come across. Hacking occurs in many different forms in WordPress. The good people of wordfence.com made a handy graph that displays the frequency of each type of WordPress hack.
How do I protect from these hacks?
As you can see, by far the most common form of hack in WordPress is via plugin vulnerabilities. Sometimes, WordPress plugins have security holes that allow attackers to directly access your dashboard and change your site however they please. The best say to avoid this is to be careful on the plugins you install and keep them updated. Plugins that have not been updated in months or have been abandoned are probably not the best choice, as they may present dozens of security vulnerabilities to your website. Good plugin developers will try to update their programs as soon as issues present themselves, so be sure to stay on top of updates.
In addition, be sure to check the reputation of the plugin you plan to install. A good practice is to only download plugins from reputable sites that have good reviews. If you keep track of your plugins using these tips, you’re good to go in this category.
The second most common form of hack is by “brute force,” which is a term used when the attacker learns your username and password by repeated login attempts. This is done by using computers that automatically go to WordPress sites and guess the username and password until they find it. This is why it is important to have a strong username and password. Far too many website owners think a username like “admin” and a password like “qwerty1234” is acceptable. In fact, according to HowSecureIsMyPassword.net, that password could be cracked in under a day!
Here are some tips for username and password security:
- Change your password regularly (but don’t forget it!)
- Don’t use the username “admin”
- Choose a strong password (use a combination of letters, capital letters, numbers, and symbols)
- Limit login attempts from one address – this can be done with plugins
- Only store your passwords using dedicated programs like LastPass
However, the best way to block against brute force attacks is to use two factor authentication. Two factor authentication is when WordPress requires the webmaster to type a code sent to their cell phone to log in. Obviously, the hacker will not have your cell phone, so this will stop them in their tracks. Although this method will stop 100% of brute force hacks, it is still important to keep a good username and password. This can be done with plugins.
WordPress core vulnerabilities
Keeping WordPress updated to the latest version is imperative. The service is updated frequently to ensure that there are no known security vulnerabilities with the latest edition. So by extension, this means that all older versions of WordPress have known security issues. The reason WordPress core vulnerabilities are so high on the chart is because some people are still running on older versions of WordPress, which is very dangerous.
Other security tips
Choose a good hosting provider
It’s very important to choose a hosting provider that puts an emphasis on security. Hosting providers are one of the first targets for hackers, because they hold the data for so many websites. Choosing a provider that specializes in WordPress is also important, as they will probably have WordPress-specific security.
Downsize your plugins and themes
As mentioned before, plugins and themes are extensions of the WordPress core, and may present vulnerabilities of their own. This is why it is important to downsize your plugins and themes to only what is absolutely necessary. This reduces the number of doors that lead to the room that is your website.
Although hacks can never truly be fully stopped, following these tips will ensure that your site is as secure against them as possible. The most important lessons to take away from this are to keep a strong username and password, keep WordPress updated, and use reputable, regularly updated plugins and themes. Following these steps is imperative to the quality of security on your site.