Website owners have often complained about WordPress security, claiming that an open source script is vulnerable to attacks and hacking. Is this true? Well, not really. WordPress is considered quite secure. You just have to take the necessary steps to ensure your website stays that way.
Let's take a closer look at some things WordPress users are worried about and what you can do to make sure these concerns never become a reality for your own website.
How Secure is WordPress?
WordPress is considered one of the most secure CMS on the internet today, although you have to use security best practices to make sure this stays a reality.
A recent study found that WordPress powers 34% of all websites. Of course, with so many people relying on WordPress for their own websites, there's bound to be more vulnerabilities. Not every user is being careful or security conscious. The bigger issue arises when a hacker finds one of these vulnerabilities in a nonchalant website. That's because the hacker can then scan for other websites that are also running the same insecure setups or old WordPress versions and hack those, too.
Luckily, WordPress does have a team specifically focused on fixing security issues with the open source code. This ensures that vulnerabilities are fixed in a timely manner. You just have to make sure you're using the latest version of WordPress, which will have those patches in place.
Some security issues also come from beyond WordPress itself. According to a recent report by wpvulndb.com, 75% of security vulnerabilities are from WordPress plugins, 14% are from core WordPress, and 11% are from WordPress themes.
What are the top 5 WordPress Security Issues
Like most websites, WordPress sites are vulnerable to hackers. But some hackers' attempts are more successful than others. Here's the top five WordPress security issues to watch out for.
Cross-Site Scripting (XSS)
Cross-site scripting is when an attacker gets a victim to load web pages with insecure scripts without their knowledge. When your site's visitors unknowingly fill out a form on your site, the hacker will then steal data from their browsers.
Cross-site scripting vulnerabilities are the most common vulnerability found in WordPress plugins. In fact, they make up more than 80% of all security vulnerabilities on the entire internet.
Brute Force Attacks
This is not a high-tech attack on software vulnerability, but instead a focus on your WordPress login. A brute force attack is when a hacker will try over and over to enter username and password combinations until one finally works.
WordPress doesn't limit login attempts, which means hackers and bots can continuously try to brute force attack their way in. The high amount of login attempts can also overload your system, slowing down your WordPress site. This can sometimes lead to account suspension.
File Inclusion Exploits
The second most common WordPress security issue revolves around WordPress website's PHP code. PHP is the code that runs your WordPress website, plugins, and themes, including wp-config.php file — and it's easily exploited by hackers. They will load remote files with vulnerable code, gaining access into your website.
WordPress websites use a MySQL database to operate. An SQL injection occurs when a hacker gains access to your WordPress database and all of its data. They may create a new admin user account, allowing them to insert new data into your database, like links to malicious or spam sites.
Since 2017, there have been more and more SQL Injection vulnerabilities. The total vulnerable plugins, according to Threat Press, was 202, while the total vulnerable themes was five. Plugins affected by vulnerabilities in WordPress was 153.
Malicious software is code that lets a hacker gain unauthorized access to a website, gathering its sensitive data, by injecting malware into your website's files. There are thousands of malware infections, but luckily WordPress isn't vulnerable to all of them.
Backdoors, drive-by downloads, pharma hacks, and malicious redirects are the four most common WordPress malware infections. All of these types of malware can be cleaned up if you manually remove the malicious file and then install a fresh version of WordPress. Or restore your WordPress site from a non-infected backup.
User Errors That Create WordPress Security Issues?
A lot of common vulnerabilities are caused by human error. Check out some of the mistakes you could be making that make your WordPress site vulnerable to hackers.
Using weak passwords
One of the most common mistakes WordPress site owners make is using weak passwords. Your admin password should be strong, meaning you have a blend of characters, symbols, and numbers. It should also not be something too obvious; avoid using passwords that are similar to your username or website name/content.
Try installing the iThemes Security plugin, which checks if your password has appeared in a data breach. You can change settings and ensure that compromised passwords are refused.
Using a shared or poor-quality website host
Poor quality and shared hosting can lead to more site vulnerabilities. That's because you can't trust every host to be using the latest security best practices. If you're on a shared server and one website is hacked, the attackers most often gain access to other websites and their data, too.
Failing to update WordPress, plugins or themes
Running an outdated version of WordPress greatly raises your website's vulnerabilities. That's because updates often include patches for found security issues. Always check your WordPress dashboard for available updates.
Using themes and plugins from untrustworthy sources
Another common exploit is poorly-written, insecure, and outdated code. You'll only want to download and install WordPress plugins and themes from sources you can trust from within the WordPress.org repository or from premium, trusted businesses. Bootleg and "free" versions of themes and plugins often have files that have been altered to contain malware.
Few Simple WordPress Security Tricks to help keep your website safe in 2020
Let's take a look at a few simple ways you can prevent some of the most common hacking attempts on WordPress sites in 2020.
Protect the wp-config.php file
We mentioned this a while back, but the wp-config.php file is one of your site's most important files since it holds a lot of crucial WordPress installation information. If you make the wp-config.php file inaccessible to them, it becomes very difficult for hackers to breach your site's security.
You can easily protect the wp-config.php file by moving it to a higher level than your root directory.
Work only with good hosts
You should only work with reliable and safe hosting so make sure you look into reviews and other people's experiences with the host's security, reliability, and speed.
Unfortunately, you most likely won't know ahead of time if the host is focused on website security. And you also can't "fix" the host, so if you run into into a lot of hacker attacks and low performance, you are better off finding a more secure host. This can sometimes mean paying more money, but that will also lead to less vulnerabilities.
Set directory permissions carefully
When you're using a shared website host, wrong directory permissions are a big deal. You'll want to change files ("644") and directory permissions ("755") to secure your website at the hosting level. This can be done manually by accessing the File Manager within your hosting control panel.
Disallow file editing
Users with admin access to your WordPress dashboard are allwoed to edit any files on the site, including plugins and themes. By disallowing file editing, a hacker that obtains access to an admin's account won't be able to modify any files.
This is luckily an easy fix, too. Add define('DISALLOW_FILE_EDIT',true); to the end of the wp-config.php file.
Block all hotlinking
When you share an online image on your website it's still being hosted on another site's server. For this reason, you don't have any control over whether or not the photo remains on said server. People can also do this to your website, too, stealing your server bandwidth and slowing down loading speeds.
Luckily the fix is easy. Find a WordPress security plugin to prevent hotlinking.
Use a better platform
Another easy fix is switching to a different platform like Mindspun, a publishing platform with a focus on security and SEO best practices. When it comes to security, HTTPS is automatically enabled so you don't even have to worry about it. Instead, you can focus on creating content on our easy-to-use and straightforward CMS.
Mindspun has a free tier with up to 20 posts, then its $29 per month beyond that.
WordPress has a lot of options and flexibility. But that comes with a price — a big one. It means there's more security vulnerabilities. Whenever you get a new plugin or new theme, you're opening up your website to more hacking opportunities and security risks, like the ones outlined above.
Luckily, there are definitely ways to keep your website safe if you pay close attention to security best practices. And you can also check out Mindspun for a simple and safe alternative. Contact us today if you have any questions.