As by far the most popular content management system, WordPress powers millions of different websites. It's open source software, which means its source code is publicly accessible and can be modified by pretty much anyone with sufficient know-how.
Though WordPress plugins and themes can be purchased, tens of thousands of them are available for free. As one might expect, this does not come without its downsides. So how vulnerable are WordPress sites? What about its themes and plugins? And how can you protect your sites?
How Vulnerable Is WordPress?
In February 2022, Jetpack discovered that popular themes and plugins from the vendor AccessPress Themes (also known as Access Keys) were compromised. The researchers spotted the vulnerability by accident, after discovering suspicious code on a compromised website. Upon further investigation, they realized most AccessPress plugins and every theme contained the same code.
It later turned out that AccessPress Themes fell victim to a cyberattack in September 2021, with hackers injecting a backdoor in the vendor's plugins and themes.
AccessPress eventually updated and cleaned up their products, but presumably thousands of users were vulnerable to attacks for a long period of time.
Do WordPress Plugins and Themes Have Vulnerabilities?
Jetpack's findings underscore just how vulnerable WordPress can be. But this was not an isolated case.
In March 2021, for example, Wordfence disclosed major vulnerabilities in two WordPress plugins that, if successfully exploited, would have allowed an attacker to take over a website. The vulnerabilities were discovered in the Elementor and WP Super Cache plugins. Elementor is a website builder used on more than seven million websites, while WP Super Cache is a popular caching plugin.
In February 2022, as Search Engine Journal reported, the United States Government Vulnerability Database and WordPress security researchers warned of serious vulnerabilities in dozens of WordPress plugins.
Of those plugins, nine were used on more than 1.3 million websites: Header Footer Code Manager, Ad Inserter—Ad Manager & AdSense Ads, Popup Builder, Anti-Malware Security and Brute-Force Firewall, WP Content Copy Protection & No Right Click, Database Backup for WordPress, GiveWP, Download Manager, and Advanced Database Cleaner.
How to Secure Your WordPress Site
One would assume these vulnerabilities are always patched up or removed once discovered, but that is actually not the case.
Research from Patchstack found that 2021 saw an increase of 150 percent in reported WordPress vulnerabilities compared to 2020—and 29 percent of those vulnerabilities received no patch. Patchstack also found that just 0.58 percent of the reported flaws were in the WordPress core, which means that vulnerabilities are almost always found in plugins.
It is critical to ensure all plugins you use are up to date, as well as the WordPress core itself.
Before downloading and installing a plugin, make sure you do a bit of research first. Check how many installs the plugin has, read reviews online, see when it was last updated, and check whether it was tested with the latest WordPress core. This will only take a few minutes, but it could save you from a lot of trouble down the road.
Alternatively, you can use WPScan, which is a fairly simple and efficient WordPress vulnerability scanner. This tool can also be utilized to look up a plugin by name. The free version allows up to 25 API requests per day.
Fortunately, some plugins are actually designed to protect your WordPress site from intruders. Login LockDown, Wordfence, BulletProof Security are some of the best WordPress security plugins today. Login LockDown is completely free, while the other two have basic, free models.
WordPress Safety Tips
As vulnerable as WordPress can be, taking basic security precautions goes a long way when it comes to preventing and fending off cyberattacks.
Using unique login details and Two-Factor Authentication, keeping all software up to date, hiding theme names and login details should be the foundation of your WordPress security hygiene.
How to Secure Your WordPress Website in 5 Simple Steps
About The Author