WordPress is the foundation of about a quarter of the sites on the web. As such, it’s a juicy target for hackers and other criminals. If they can find a vulnerability in WordPress, they have the key to millions of sites. A vulnerability in a popular WordPress plugin is almost as tempting, and even a plugin that isn’t very popular might give an attacker access to thousands of sites.
This is a guest contribution by Graeme Caldwell.
This isn’t a problem with WordPress in particular. WordPress is just the biggest beast – other content management systems have the same troubles. Keeping WordPress secure is the job of developers and security researchers, but they can only do so much. WordPress site owners need to do their bit too.
Part of keeping your WordPress site safe is understanding what the risks are and how you can protect your site against common sources of vulnerability.
Recently, the WordPress security firm Wordfence published a list of the most common ways that WordPress sites were compromised. Let’s take a look at that list and what WordPress site owners can do to make sure they don’t fall victim:
4 Most Common WordPress Attacks
By far the biggest culprit is vulnerabilities in plugins. There are tens of thousands of plugins, created by thousands of developers, so it makes sense that plugins are the biggest risk.
One way to protect your site from vulnerabilities in plugins is to install as few plugins as possible. The plugin ecosystem is the major reason people choose WordPress in the first place, so I don’t suggest you avoid plugins altogether. But, if you aren’t using a plugin, remove it. Consider if you need the functionality a plugin provides. Keeping the number of plugins low reduces the surface area for threats.
Next, make sure to keep the plugins you use updated. Vulnerabilities are found and fixed all the time. Updates deliver the fixes. Out-of-date plugins are an invitation to a compromise.
If a plugin hasn’t been updated for some time, it may have been abandoned by its developer. If you suspect a plugin isn’t actively developed, find an alternative.
Brute force attacks are simply guesses. The attacker – usually a bot – will try as many username-password combinations as possible until they find the right one. The fix here is easy – don’t use passwords and usernames that can be guessed. Long, complex passwords are impossible to guess. Passwords like “pa55word” and “ilovejustin” will be guessed in fractions of a second.
In addition to using secure passwords, you should also consider installing two-factor authentication on your WordPress site, and using a rate-limiting tool that blocks IPs after too many failed login attempts.
Core And Theme Vulnerabilities
I’m bundling these two together because the mitigation is the same for each. Keep your site updated!
WordPress Core is typically much more secure than the plugin ecosystem, and the vast majority of successful attacks rely on vulnerabilities that have been fixed in the most recent version.
Again, keep your WordPress site up-to-date!
Sometimes, web hosting companies make mistakes or the software they rely on – the Linux operating system, for example – contains vulnerabilities. The best way to avoid incompetent web hosting is to choose a web host with a good security reputation and the expertise to protect their clients.
It doesn’t take a lot of work to make WordPress secure. WordPress’s developers have created a strong foundation, and with the investment of a little time and attention, WordPress users can protect their sites and blogs from criminals.
Editor’s note. If you want to go the extra step and really make your blog secure, check out our in-depth post over on the CodeinWP blog: 20 Simple Tricks to Secure Your WordPress Website in 2021.