WordPress is by far the most popular content management system on the ‘net.
A quarter of the world’s websites run on top of WordPress. And for good reason: it’s the best free tool for beginners that also allow for advanced customizations.
But there’s a problem.
Being so popular puts a huge target on your back. Plus, a big part of WordPress’ popularity is the fact that it’s open sourced, meaning their code base is out there in the open for anyone (good or bad) to access.
The net result is that 73% of the most popular WordPress sites are sitting ducks. They have obvious flaws or loopholes that could make them susceptible to an attack at any moment.
The silver lining is that most WordPress vulnerabilities can be boiled down into three main categories. Here’s what those are, and how to fix each one.
Plugins
We’ve all seen this before — at least four-to-five WordPress update notifications every time a single plugin or theme update triggers.
Countless red dots every time we log into our WordPress site. They could be updates for plugins or themes, but we usually treat them the same way: ignore them for a few days before upgrading a ton at once.
That’s not the approach we should take, though. There’s a reason they go overkill with multiple notifications like that.
By default, these upgrades are often patching holes or security issues in previous versions. And when that happens, the developers are often releasing notes on the exact problem or backdoor they fixed. So even the most amateurish hacker now has clues into how to exploit sites who aren’t updating timely.
The additional problem with running so many different plugins and themes is that they’re all created by so many third-party people.
It’s no wonder, then, that over half of WordPress security issues often come back to plugins.
These things either don’t play nice together, causing the infamous white screen of death.
Or they’re just shoddily made (especially free ones that haven’t been updated in weeks or months).
Plugins can add some awesome functionality to your WordPress site. But to keep yourself safe, try to limit the number you’re using and make sure they’re from reputable developers.
Oh, and run those updates ASAP.
Brute Force Attacks
A surprising number of hacks happen because of the most simple reason:
Weak passwords.
In fact, Verizon reports that weak or stolen passwords result in over 80% of hacking-related breaches!
Stealing your password through a phishing scheme is one problem. These often involve simply tricking the user into revealing their password (or password reminder answers) to gain access.
However, the most common password attack is often more direct. Brute force attacks are simple but deadly. They will start by guessing letters or numbers in combination. That might be letters of the alphabet, trying “A,” then “B,” then “C,” and so on. Then, they just keep trying various combinations until they hit on one that works.
The software to run this is easily accessible, and the constant letter or number generation is easy to pull off.
If you had a two-digit pin number, there are 10 possible digits to each use for each number, meaning there are 100 total possibilities to guess.
Obviously, most passwords are at least a few letters or numbers long. But they’re often easy-to-guess combinations because you’re using easy-to-remember names, dates, etc.
Strings of random letters or numbers are tougher to guess. Combinations of the upper and lower case make it even more difficult. And random symbols or punctuation marks can finally create some relatively secure.
So the first step in security is to use a password manager like LastPass to create randomly generated codes that are saved automatically.
You can also limit the number of login attempts by any user on your site. For example, the Login Lockdown plugin will only allow users three chances before restricting access for a period of time. They can also monitor those attempts based on an IP address to see if it’s someone really trying to log in, or someone trying to brute force their way in.
Last but not least, you can add two-factor authentication to your site with plugins like the Google Authenticator. That means you type in one password on your WordPress site that will then kick off code to your mobile device. So you essentially need two passwords on two devices to make sure every login is legit.
Prevention
Those first two are the ‘low hanging fruit’ for hackers.
But there is still a variety of more advanced hacks, malware injections, and a slew of other malicious attacks that are tougher to protect yourself against.
Fortunately, there are a number of professional options out there that are well worth the investment.
Wordfence, for one, helps encrypt your entire site’s connection with a firewall so only certain users can gain access.
Cloudflare does this and more, protecting you from other common attacks like DDoS attacks. These essentially ‘flood’ your DNS server with requests to bring down the site completely.
Cloudflare can set up a few different barriers to help regulate these attacks and prevent them from ever getting to your server. In addition, they also have a slew of site-enhancing features to speed up performance.
Sucuri is similar, protecting you from everything including DDoS attacks to malware and more.
All of these tools are focused more on prevention because once an attack has started, it’s often already too late.
The final piece of the puzzle might sound odd initially. But cheap, shared hosting can’t always do much to help protect you.
That’s why managed WordPress hosting options like Kinsta are excelling, combining performance with additional security to help stop a lot of these issues dead in their tracks.
Conclusion
WordPress is the most popular website platform on the internet for a reason.
It’s great for both beginners and advanced power users.
Unfortunately, what makes it great also comes with a few downsides. The open sourced code, coupled with countless developers on its system means that there are a lot of hands in the cookie jar. It’s not a ‘closed system’ carefully monitored by a handful of people.
So be careful about which plugins or themes you’re using, and make sure you’re always running the latest version of them.
Create stronger passwords with random strings of letters, numbers, symbols, and cases. (Obviously, you should create unique ones for each site, too.)
Last but not least, it’s often worth it to invest in some professional help to prevent these attacks before they happen.
There are a ton of excellent options available. And even though it might cost a few extra bucks each month, that peace of mind will pale in comparison to the issues you might have if your site was taken offline for an extended period of time.