Published on 13 May 2019 (Updated 29 February 2024)
Today, 33% of websites in the world are using WordPress. This makes it the most used CMS (Content Management System) out there, with 60% of the market share. Without a doubt, due to this ever-increasing popularity, WordPress has also become a favorite target of hackers on the web. Hence the question: are there any effective ways to protect our WordPress sites?
In this article, we will help you understand the importance of securing a website while using WordPress and learn about the setup process.
What are the most common attacks on a WordPress website?
A hacker may have diverse motives to attack a website, but most of the time they do so to make money, to disrupt the service that the site offers, or to steal sensitive data such as passwords or bank information.
Attacks on WordPress websites are very varied, but hackers mainly focus on its vulnerabilities. Here is a list of the most common attacks on a WordPress site.
Malicious software (Malware)
- Backdoors
First of all, backdoors allow hackers to take control of a flawed website by bypassing its authentication methods. Vulnerabilities as such are often very difficult to find since backdoors are actually designed to be mistaken for non-malicious code.
The backdoors we find on WordPress sites are mostly present in the code of some plugins that are not well known or that are downloaded from unofficial sites. Once the plugin is downloaded, the hacker can hide encrypted backdoors in your PHP files. So even if the plugin is removed, the hacker can still have well-hidden access to your site. - Stealth download (drive-by download)
This refers to the unintentional downloads of malware from the Internet, most often when the user visits an infected website or opens an e-mail that directs to an unknown website. The software will then install itself on the user’s computer without the user’s knowledge. It can be a virus, spyware, remote access tools, ransomware, and so on. - Pharma Hack
Pharma Hack is the injection of malicious code into pages of a WordPress site, obliging search engines to return ads for illegal pharmaceuticals or sometimes other products, instead of your website. Indeed, Pharma Hack victims often report a sharp drop in traffic to their sites and, in some cases, even the removal of their sites by Google from search results lists. This type of hacking can be difficult to detect because it does not alter the pages of the affected website, but only impacts the search engine rankings.
Brute Force
Brute Force login attacks use automated scripts to exploit weak passwords and gain access to your site. The attacker tries to guess your site’s administrator account ID and then its password by testing all possible combinations. This method works especially well when people use passwords such as “123456” or “password” with usernames like “admin”.
File inclusion
This vulnerability is due to inputs that do not have proper validation. The attacker can for example include a remote file in your site, usually through a script. This is one of the most common ways an attacker can access files on your WordPress site with sensitive data, such as wp-config.php.
SQL Injections
SQL injections allow attackers to gain access to the data in your site’s database by modifying running SQL queries. With an SQL injection, the attacker can create a new user account at the administrator interface and use it to log in to your site. In this way, the attacker can gain full access to your WordPress site. This vulnerability also allows the attacker to insert new data into your database, including links to malicious sites.
Cross-Site Scripting (XSS)
XSS refers to the injection of a malicious script, most often in JavaScript, which is loaded on the page without the knowledge of the users of your website. The aim is usually to retrieve cookies, session data, rewrite HTML on a page or redirect users to another site. In fact, it is the most common vulnerability found in WordPress plugins.
Denial of Service (DoS)
This attack aims to make the target website unavailable and prevent the site’s operators from accessing it. To do this, the hacker uses scripts to send looping requests to the location of loopholes. The goal is to overload the memory of the server where the site is hosted.
Spam in comments
These comments are mostly generated automatically by virtual machines (bots). They may contain unwanted messages or links to unknown websites.
Recommendations
To secure your WordPress site, there is a whole technical part to put in place. You must also (and above all) implement several good practices. Here is a list of actions you can take to improve the security of your WordPress site.
Hosting
- Choose a well-known and secure host for your site, where access to your database is protected
- Use HTTPS protocol to secure your WordPress site
- Use the latest version of PHP (currently PHP7)
Theme/Plugin
- Update WordPress regularly, as well as the theme and plugins you use
- Remove inactive themes and plugins
- Install a plugin like iThemes Security or All In One WP Security & Firewall, which can warn you if there are suspicious modifications in your site files
- Install a plugin to prevent spam in comments, like Askimet
- Use only trustworthy plugins that are reliable, recognized, and have good support
- Download your plugins only from trusted sites
Authentication
- Create strong passwords (at least eight characters, containing upper and lower case letters, numbers and special characters)
- Restrict the number of login attempts
- Mask login errors
- Use Captcha for identification or double authentication
- Ban malicious IP addresses
- Ban login attempts with non-existent usernames
- Reduce the lifetime of user sessions
- Change passwords regularly
- Don’t connect to your WordPress site over public Wi-Fi
User administration
- Remove the default “admin” account, replace it with another admin account with a different name
- Forbid usernames like admin, www, domain_name
- Do not grant administrator rights to all your users
- Check your user list frequently and delete obsolete accounts
- Demote the status of former users
Server administration
- Backup your site and its database regularly
- Block the display of folder contents in the browser
- Change the default “wp_” prefix in the database
- Set file access permissions on the server
- Block access to readme.html and license.txt files
- Set random security keys
- Change the URL of your login page
- Protect the wp-config.php file and its sensitive data
- Restrict access to the .htaccess file
- Disable the file editor in the back-office
- Allow automatic major WordPress updates
- Hide your WordPress version (if version prior to 5.0)
In conclusion, if you could take away three points from this article to secure your WordPress site, they would be the following:
- 1 – First, if you are developing your WordPress site, adopt good development practices by preparing your theme files and securing your sensitive files.
- 2 – Second, if you are using a theme downloaded from the Internet, make sure it has a good reputation and support. The same goes for the plugins you install. When deploying your site, secure your admin accounts. If possible, install a security plugin that will allow you to further secure your site.
- 3 – In any case, don’t forget to maintain your site by making regular backups as well as updating WordPress and your plugins.
Just so you know, plugins and themes offer high flexibility to WordPress but are also the most vulnerable parts of a site when not updated. The WordPress team fixes security vulnerabilities with every update, but only 35% of its websites use the latest version. Furthermore, 50.8% of WordPress sites use an outdated version of PHP, which poses a big security risk. As a matter of fact, WordPress will no longer support some older versions of PHP.
WANT TO FIND OUT MORE?
Want to have your WordPress site secured by professional developers? Don’t hesitate to contact our team.
