WordPress Security Vulnerabilities and Solutions
Security is a massive topic in the modern world. Mental, physical, emotional, financial, cyber, we all care one way or another about at least one of those. Cybersecurity is the youngest, with the rest being on people’s minds for as long as we and money have existed. Still, it is no less important if you have an online presence. There are so many websites online right now; it is a veritable shooting gallery for anyone wishing to perform malicious online activities. That is why cybersecurity has become such a significant industry, to the point of cybercriminal and cybercrime being actual words used to describe those who commit crimes online. Now consider the following: WordPress powers more than 42% of all websites. Since there are about 1.1 billion websites worldwide, imagine almost half of them being WordPress alone. Websites built with WordPress are some of the most attacked.
That is why we wanted to write this blog post, discuss some WordPress vulnerabilities, and offer advice and solutions. The security of your website is crucial and should be one of your top priorities online, despite WordPress being considered one of the more secure Content Management Systems out there. Even if you didn’t use WordPress for your website, you can still use this to learn what types of cyberattacks lurk on the internet and some security tips to apply to your website.
How Secure is WordPress
WordPress itself is very secure as long as you follow good security practices, which is why giving a definitive answer to the question is not exactly possible. There are more factors at play than just WordPress’ code alone.
As we mentioned in the introduction, WordPress powers more than 42% of websites. With that many users, security vulnerabilities are inevitable. Not everyone is careful, thorough, or security-conscious, which leads to the discovery of said vulnerabilities. And, where there is a vulnerability, there is an exploit. Attackers can find exploits on websites running old or insecure versions of WordPress. But what do users have to do with how secure WordPress is? The answer to that question is straightforward: updates and measures taken. Users have control over those two things, and every time they neglect a website’s updates or security measures, it can become a target of a cyberattack. Updates are vital to the security of a website because the newest versions of the core WordPress files, the plugins it uses, and its themes have fewer vulnerabilities than their older versions.
WordPress runs on open-source code and has a team devoted to finding, identifying, and fixing security issues. As developers discover security vulnerabilities, fixes are immediately pushed out to patch them. But you noticed we mentioned WordPress plugins and themes as well. That is because plugins and themes are the most common entry point for cyberattacks: more than 92% for plugins and more than 6% for themes.
To elaborate on our initial statement about how secure WordPress is, it is as secure as you make it. Update all the software it uses and follow solid security practices, which we will discuss later in this blog post.
Most Common WordPress Vulnerabilities
Before discussing how to protect your WordPress website better, we want to mention the most common security risks for WordPress. These are the most widely encountered vulnerabilities that plague WordPress, but they are not exclusive to WordPress alone.
Brute-Force Login Attempts
Easily the most straightforward hacking technique, brute forcing uses trial-and-error login attempts to guess your administrative login details and gain access to your website’s administrative dashboard. From there, a hacker can access your website’s sensitive information. Even worse, hackers can block your access so you cannot combat their attacks. Fortunately, brute-force attacks are simple to deal with if you try any of these solutions.
- Strong, Random Password – It should be a random combination of at least letters and numbers, but symbols will make it even more challenging to crack. WordPress has its own generator on the backend (navigate to Users → Your Profile) that you can use. Alternatively, you can use third-party tools such as Norton’s generator. The longer and more complex the password, the more difficult it is to guess;
- Two-factor Authentication – WordPress doesn’t have this by default, but it has plenty of plugins to help with that. Wordfence Security includes it as a premium feature. At the same time, other plugins (such as Rublon Multi-Factor Authentication) offer it for free. Either solution should be fine;
- Limit Login Attempts – You can lock out users after several invalid logins with a plugin like Limit Login Attempts. Once WordPress has locked out a user, they must wait a while before trying again.
Any of these methods will secure your website’s administrative dashboard, which is the most essential part of it.
Outdated Core, Plugin, and Theme Files
We discussed this in the previous section, but we will elaborate now. Updating is so crucial because when a vulnerability is found in the code of any of the three pieces of software in question, it is typically patched out when a newer version is released. Older software doesn’t have those security fixes, making it more susceptible to attacks. Nonetheless, we entirely understand that updating is not always the most convenient thing, and that is fine. You don’t need to be on top of all the new versions the moment the developers release them. We are speaking more generally here: check for updates once a week and apply them when convenient, for instance.
You can perform the updates manually from the administrative dashboard, which is the most common way things are done. Some third-party services can help with that, depending on your hosting provider. Here at FastComet, all our services feature the WP Toolkit, which – among its many functions – offers a safe and easy way to check for and perform updates without even having to log into your website. Check out our tutorial about how to do it if you are our customer or have access to the WP Toolkit.
Malware
Short for malicious software, malware is precisely what it sounds like: software whose sole purpose is to cause as much havoc to your website (or even your hosting account or server) as possible. Malware can be either a file or some code inserted among the rest of the files or code of your website. If you suspect malware on your site, one of the easiest things to do is to look at recently changed files. Contact your hosting provider or an online security specialist if you notice anything out of place.
Below are the most common types of malware that WordPress gets infected with when left outdated and unsecured.
- Backdoors – This type of malware completely circumvents the login process to gain access to the website. It typically does this by exploiting vulnerabilities in the components of the website itself. If you have seen any hacker films and heard about the “backdoor” the hacker has in the system, that is precisely what this type of malware is;
- Drive-by Downloads – Attacks of this type spread and infect by unauthorized installs. As the name suggests, you don’t need to download or install anything, as the malware will do that itself without alerting the user. It exploits security vulnerabilities that the developers have have not patched due to update neglect;
- Pharma Hacks – Not as destructive as the other two. This type of malware changes a website’s code. Hence, its pages start redirecting to spam web pages. These bogus pages are most often advertisements for knock-off pharmaceuticals, and the purpose of this hack is to use a regular website and direct its traffic to these advertisements;
- Malicious Redirects – Similar to a pharma hack, a malicious redirect inserts code into the website, forcing its pages to redirect to another website. This time, however, the other website is likely to be highly malicious in and of itself, to the point of posing a risk not just to the website but to the entire computer accessing it.
Since these types of malware all rely on an infected file or piece of code, users can deal them by cleaning the file or code. You can do that by either reinstalling your WordPress core files (the WP Toolkit can do that for you, for instance) or scanning the directory with an antivirus solution, which can identify the malware and remove it.
Finally, we have an extensive guide on what to do if your website is infected, which should help you if you are currently facing such an issue.
Cross-Site Scripting
Hackers often use cross-site scripting to gain access to a website. This type of attack works by getting a victim to load web pages with malicious JavaScript in them. This JavaScript was injected into the page by the attacker, and when an end user opens said page, it loads the malicious script. These scripts load without the visitor’s knowledge, especially since it is an otherwise trusted website. Once executed, the script can perform several functions. Something small, like changing the background of the website’s chat window, to something very dangerous, like stealing browser data. The most commonly stolen browser data are cookies or even session IDs. Those two things contain sensitive data, such as login information. As you can imagine, someone stealing your login information can cause many issues.
Security plugins and a Web Application Firewall (WAF) are invaluable here. Additionally, use reliable and trustworthy plugins when adding interactive functionality to your website (contact forms, comment boxes, etc.). Those plugins will be far more secure and also receive regular updates. On top of that, reliable plugins will often verify the user data and credentials of the ones interacting with them. If one of your plugins has not been updated for more than a year, usually that means that the same is abandoned and no longer secure. In such cases, we recommend looking for an alternative that receives regular updates.
Ways to Increase WordPress Security
Now that we know some of the most popular ways to attack a WordPress website, we must discuss countermeasures. We know that getting your website hacked and your information stolen is unpleasant to think about. Still, if you follow the tips we will lay before you, even just a few of them, you will drastically reduce the chance of your own WordPress website becoming compromised.
We know we previously discussed some of these things in the blog post. Nonetheless, we wanted to mention them again so they are bundled with the rest of the security tips and elaborate more on them. With that said, let’s get to securing your WordPress website!
WordPress Managed Hosting
A hosting provider has a vital role in your WordPress site’s security. When choosing your hosting provider, look for one specializing in WordPress hosting. Typically, it will have more experience handling WordPress issues and providing services that complement a WordPress website. A good WordPress hosting company, such as FastComet, should:
- Continuously monitor their network for suspicious activity. Our team of experts is always on the lookout for anything that could potentially cause damage or disruption to our services;
- Separate each customer account on a shared server. That way if a hacker gains access to one customer’s website the rest will be safe. FastComet achieves this by utilizing CageFS;
- Possess a suite of security features such as Web Application Firewalls (WAF) and malware detection and removal services. Our services come with Imunify360 which is a firewall and malware scanner and remover in one;
- Have the necessary tools to prevent large-scale Distributed Denial of Service (DDoS) attacks;
- Keep both their server software and hardware updated to prevent malicious hackers from exploiting vulnerabilities in older versions. As soon as new, stable and tested versions of the software and hardware we utilize are available we implement them;
- Always be prepared to deploy disaster recovery plans that would protect your data in accidental cases.
To address the last point, such recovery plans can be in the form of restoring your website from a backup. Before you rush to restore your website, here are a few things to check if you suspect someone has unauthorized access to your website.
- Check if you can log in to your WordPress admin dashboard;
- See if your website is redirecting to another site;
- Look for illegitimate links on your WordPress website;
- Find out if Google has marked your website as unsafe.
If you see any red flags, immediately change the passwords for all users on your website and then contact your hosting provider. As we mentioned above, they should be prepared to handle situations like these. At FastComet, we offer free daily backups for our services, so restoring your website should not be an issue. Additionally, we can run malware scans for you and potentially find any malicious scripts that could be causing the issue. Once you have restored the website do the checklist from above one more time and ensure that all users are the ones you expected, have the correct permissions, and have new passwords.
Always weigh your options when selecting where to host your website. We know costs can stack up, but please do not skimp out on security features to save a bit of money. That may cost you a lot more down the road.
Use the Latest PHP Version
PHP is the backbone of your WordPress site. WordPress’ code relies on PHP to function, so always use the latest available version on your server. Of course, when a new version comes out, you needn’t switch immediately since WordPress, its themes, and plugins may still need to add compatibility. Upgrade the PHP version when convenient.
The team behind PHP typically fully supports major PHP versions for two years after their release. During that period, they patch bugs and security issues regularly. WordPress sites running on PHP 7.4 or below no longer have security support and are exposed to unpatched security vulnerabilities.
According to the official WordPress Stats page, more than 50% of WordPress users are still using PHP 7.4 or lower at the time of writing this post. That’s not a small number, considering how easy it is to switch to a supported version of the scripting language.
We know that it can take some time for businesses and developers to test new PHP versions and ensure their code is compatible. However, there are no excuses for running on a version of PHP with no security support.
If you need to know how to change or check your PHP version, check our helpful tutorial right here.
Use Strong Passwords and Two-factor Authentication
A strong password makes it harder for hackers to crack your website open. After all, stealing passwords is the most common method for hacking.
When creating your WordPress admin password, we recommend using a password generator. However, try to avoid saving it to a file on your computer or writing it down on paper. Whatever you do, don’t use something too simple like “123456” or “password.” Those two are the most hacked passwords. Even if you create your own password, try including special symbols, numbers, and lower and upper case letters. People commonly use passwords they can easily remember (special dates, phrases, etc.), which is unsuitable for security. Anyone determined to obtain your password can often discover or surmise such things.
Аvoid using the same password more than once (e.g., same pass for an email account, Facebook account, and WordPress admin). If someone hacks one of your accounts, they will likely try the same password for all your other available accounts.
Also, keep your account details private (even from close friends and relatives). However, if someone needs to work on your website, be sure that they keep your passwords private or create a separate user for them altogether, which is the solution we recommend. If you must share your password, change it once the other party is done. The fewer people you have on your account, the better chances your passwords are safe.
Another smart way to boost login security is to use two-factor authentication (2FA). Unlike passwords alone, two-factor authentication is a multiple (in most cases, two) step process. You need something you know (a password) and something you have, like a phone application. Two-factor authentication works by introducing a secondary authentication in the form of a code that can users can obtain via an authorized device. When you activate 2FA on your WordPress website, you will have to scan a QR code with an authentication app on your phone. That will add your WordPress website to the app and will generate new codes every few seconds, which will be required when you try to log in. As you can see, this is an excellent security feature since it requires a code that only you can obtain.
WordPress has a great selection of free two-factor authentication plugins. We ourselves recommend either Shield Security or Google Authenticator.
Use the Latest and Reliable Version of WordPress, Plugins, and Themes
This is such a big piece of security advice that we have to mention it again. Keeping things up to date is one of the best ways to harden the security of your WordPress site. Ensure you always update the WordPress core and all your plugins and themes. All of those get updates for a reason, which is security improvements and bug fixes more often than not.
Unfortunately, many websites run outdated versions of the WordPress core, plugins, and themes. People are generally unaware of how important software updates are. They hear some myths that if they update, “their site will break” or find another reason to skip updates. The truth is that most websites break primarily because of older WordPress versions. WordPress updates mainly include must-have security patches and the added functionality required to run the latest plugins. The “breaking” comes from a plugin or theme being too new for the core WordPress files, or vice versa, or if you update the core version too quickly before the plugins and themes are updated for the latest core version.
That is why we do not insist you update everything right away. Wait a few days, a week or two, and then perform your updates once everything has caught up with each other. What we insist on, though, is you never disregard updates and think they do nothing.
Finally, ensure you obtain your WordPress core files, plugins, and themes from legitimate sources. Since WordPress is open source, anyone can download and modify the software in any way they wish or create plugins and themes for it. Since anyone can do it, the chances of getting malicious files from non-official sources increase exponentially. We recommend users download WordPress, plugins, and themes from the official website or through their website’s dashboard. Even if you have found a premium plugin for free on some other website, for example, we do not suggest installing it unless you are a programmer and security specialist and can check it for malware.
Limited Login Attempts and Automatic Logout
WordPress, by default, allows unlimited login attempts. Unfortunately, this lowers security and increases the chances of attackers brute forcing your password. Hackers can try out different password combinations for as long as they want until they get into your website. Users can easily solved that through several plugins. For instance, Wordfence provides such functionality, or you can get a separate plugin such as Limit Login Attempts Reloaded.
Another thing that can increase the risk of a security breach is staying logged in. That is the reason why banking sites automatically log out inactive users. That is more important for shared or public computers since inactive users who are still logged in risk exposing sensitive data to unauthorized parties. Such initiative users still have their sessions active, which is itself a security risk, so logging them out is the best course of action. It will also allow the server to allocated those resources elsewhere rather than having them sustain a user doing nothing.
As with the previous issue, there is a plugin that automatically logs out inactive users automatically. Inactive Logout is straightforward and perfect for the job.
SSL Certificate and Security Plugins
An SSL certificate is essential, especially if you run an online store. First, Google now requires all websites to have SSL. Otherwise, your URL will be accompanied by a red text saying “Not Secure,” which will turn people away. Second, having SSL will make it very difficult for hackers to retrieve sensitive shared data between visitors and your server. But what exactly is an SSL, and what does it do to secure your data?
Simply put, SSL is an encryption protocol that secures the data flowing between a user and a server. That way, hackers cannot intercept it and, therefore, not read it. Such data includes sensitive information, such as emails, names, addresses, card information, and so on. As you can see, it is all information you want to avoid falling into the wrong hands. As we mentioned at the beginning of this part, this applies significantly to online stores since they handle vital data in the form of card information. We have a tutorial for our services about how to install such a certificate right here.
Complementing an SSL certificate are security plugins. Typically, such plugins don’t have a sole function; instead they come with a suite of security solutions to make your website much more difficult to penetrate. We have mentioned Wordfence several times so far, which is the plugin we recommend for your security needs. The free version has essential security features, such as a WAF (Web Application Firewall), a malware scanner, and login security. It is one of the top-ranking security plugins, and installing it on your website will give you peace of mind.
Final Thoughts
Website security is an extensive topic, but we hope the security tips outlined in this blog post will help you make your website that much harder to crack. We recognize some consider what we described basic website practices. However, we have noticed that many people disregard the security of their website one way or another: not updating, not having an SSL certificate, using questionable plugins or themes, and so on. Be proactive and secure your website, and save yourself any potential headaches.
The latest tips and news from the industry straight to your inbox!
Join 30,000+ subscribers for exclusive access to our monthly newsletter with insider cloud, hosting and WordPress tips!
Comments (2)
What specific security features should you look for in a managed WordPress hosting provider to protect your website from threats like malware and DDoS attacks?
Hello Sean!
Thank you for the excellent question.
A managed WordPress host should have a suite of security features ready to prevent malware and DDoS threats. For example, a firewall and malware detection software are absolutely necessary. DDoS protection can come in a variety of ways, but you can check out our blog about it to get an idea what is required.
In general, any web host — not just for WordPress — should have clearly defined and outlined security measures. You can find ours here.