Nineteen years after its creation, WordPress remains one of the most popular and widely used content management systems (CMS) on the world wide web. To put it in numbers, over 60 percent of internet websites are built on top of WordPress!
This popularity comes with a lot of advantages, such as a large developer community, extensive tooling, and a plethora of tutorials and guides. But it also comes with a few disadvantages. One of them is an increased susceptibility to hacking.
Hackers love hacking WordPress. In fact, 83% of all hacked CMS-based websites are built on WordPress. They love finding vulnerabilities to exploit, and unfortunately, WordPress has a handful of those.
In this article, I'll go over eight common WordPress vulnerabilities and explain how each of them can be mitigated. Feel free to use the following links to jump to each vulnerability section.
1. Poor Hosting Environment
A host is a server computer on the internet where the files powering your website are stored. If you want your WordPress site to be accessible on the internet, you have to put it on a web host.
One of the main reasons why WordPress sites get hacked is a poor hosting environment. According to statistics from Kinsta, the figure is around 41%. Therefore, nearly half of all cases of WordPress site hacking happen due to a poor hosting environment.
You can conclude from the above stat that using a reputable and secure hosting provider automatically reduces the chances of your site getting hacked by a significant percentage.
Some of the top-tier hosting providers for WordPress sites are SiteGround, WP Engine, Hostinger, and Bluehost. Before choosing a hosting provider for your site, make sure you carry out thorough research to uncover the quality of their service delivery along with the level of their customer satisfaction.
2. Random Themes and Plugins
A WordPress theme dictates the appearance of your site, while a plugin is used to add extra functionality to your site. Both are a collection of files, including PHP scripts.
Since both themes and plugins are composed of code, they can be infested with bugs. This is a very popular method that hackers use to gain illegal access to affected WordPress sites.
In fact, according to Kinsta, 52% of vulnerabilities are related to plugins, and 11% are caused by themes.
Hackers can insert malicious code into a theme or plugin and publish it to the marketplace on the internet. If it then gets installed on a WordPress site by an unsuspecting user, the site automatically becomes compromised, often without the owner's knowledge.
The best way to avoid these problems is to only install themes and plugins from trusted and reliable sources.
3. Outdated Plugins and Themes
In addition to avoiding random plugins and themes, you should also keep the ones you've installed on your WordPress site up-to-date.
This is because hackers often search for specific themes or plugins (or specific versions) which are known to have vulnerabilities. They then look for sites using such themes or plugins and try to hack them. If successful, they can carry out harmful actions on the sites, such as looking up data in their databases or even injecting malicious content into the websites.
To access your installed themes from the admin panel, navigate to Appearance > Themes on the sidebar. To access plugins, navigate to Plugins > Installed Plugins.
Typically, you'll get an alert notification in your WordPress dashboard when it's time to update any of the themes or plugins used on your site. Never ignore these alerts unless you have a good reason to.
4. Weak Passwords
Weak, easy-to-guess login credentials are one of the easiest routes for hackers to gain access to your WordPress back end. Around 8% of sites built on WordPress are hacked as a result of either a weak password combination or stolen passwords
Hackers often use brute-force scripts to iteratively test common username and password combinations on as many WordPress sites as possible. They do it until they find a match, upon which they log in to the target site and also resell the credentials to other hackers.
For this reason, you should always avoid using terms like user, admin, administrator, and user1 as your login username. Instead, create a username that is less generic and more personal.
For creating strong and secure passwords, here are some rules to keep in mind:
- Never use personal information (name, birthday, email, and so on).
- Create longer passwords.
- Make your passwords as obscure and meaningless as possible.
- Don't use common words.
- Include a number and a special character.
- Never repeat passwords.
To secure your site, you must specify a strong username and password combination right from when you're setting up WordPress for the first time.
In addition, you should set up two-factor authentication (2FA) to add another layer of security to your WordPress site.
Finally, consider using a security plugin like Wordfence or Sucuri Security to thwart brute force attacks (and other malicious attacks) from accessing your WordPress site.
5. Malware Injections
Malware is a malicious piece of software that a hacker can insert into your site and execute whenever they want to carry out their plan.
Malware can be inserted in a variety of ways. It can be injected through something as simple as a well-formatted comment on the WordPress site, or through something as complex as uploading an executable file on the server.
In the best possible scenario, the malware will not cause any problems and might do something as harmless as showing a product's ad to your customer. In this case, the malware can be removed by using a malware scanner plugin like Wordfence Security.
But in extreme cases, the malware will execute dangerous actions on the server which might lead to data loss in the database or something of similar consequence like creating an account on the WordPress site.
Solving such worst-case scenarios usually involves restoring your site from a clean backup before figuring out how the hacker was able to get into your system and patching the hole. This is why backing up your site on a regular basis is very important.
In a phishing attack, the attacker would send an email using an address that looks as if it is coming from your server. The attacker will typically ask your site user or customer to click on a link to do something, which the user may do, not knowing it's not actually from your server.
Phishing attacks come in a lot of different styles, with names like cat-phishing, spear-phishing, and so on. Regardless of the type, phishing always involves a fake (but original-looking) email address and a link to a malicious page.
Often, the attacker will display a fake form which looks identical to the real login form of your website. If the user doesn't catch up in time, they might submit one or several different login credentials to the malicious website.
The result is that the hacker now has different usernames and passwords to carry out brute-force attacks on other sites as well as accurate login credentials to access the user's backend.
Due to the way email was originally designed, it's easy to fake the "from" address of an email, making phishing attacks slightly harder to stop.
However, these days, technologies like SPF, DKIM, and DMARC all make it possible for email servers to check where an email came from and validate the source domain. As long as these are all set up properly, all phishing emails will be detected by the recipient server and either marked as spam or completely removed from the user's inbox.
If you're not sure if you have SPF, DKIM, and DMARC set up properly, ask your web host. Most top-tier web hosts have easy-to-follow instructions on how to set these up.
7. Denial of Service Attacks (DoS and DDoS)
A Denial of Service attack occurs when a perpetrator floods a website's server with bad requests, leading to the server not being able to process normal requests from legitimate users.
In WordPress, caching services help mitigate DDoS attacks. You can use WordPress plugins like WP Fastest Cache on your website to check against DDoS attacks. Also, most top-tier hosts have DDoS mitigation systems built into their infrastructure.
8. Cross-Site Scripting (XSS)
Cross-site scripting is another kind of code injection attack, and it is similar to the malware injection that we learned about earlier.
The attacker may use this opportunity to impersonate the visitor of your site (using their data) or send them to another malicious site they have created to dupe the user.
One of the most effective ways of thwarting XSS attacks on your WordPress site is by installing a powerful firewall plugin like Sucuri, which you can also use to scan your website for XSS vulnerabilities.
Keeping your WordPress website safe and secure requires that you take proactive steps to uncover vulnerabilities that attackers can exploit. In this article, we covered eight vulnerabilities and offered a solution for each of them.
Keep in mind that the best way to mitigate vulnerabilities in your WordPress site is by keeping all the site's components up-to-date. This includes plugins, themes, and even WordPress itself. Don't forget to upgrade your PHP version too.